Detecting p2p traffic

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



After varying degrees of success with p2p detection modules, I would like to
write the following rules using iptables to reliably identify p2p traffic:

1. If a host on the network has 5 or more simutaneous tcp connections to ports
above 1024, mark all connections to ports 1024 and above as 60.

2. If a host has received (or sent) UDP packets from 5 different hosts' ports
above 1024 in a minute then classify all UDP traffic to and from that host
above port 1024 as 60.

Number 1 can almost be acheived using something similar to:
iptables .. --dport 1024: -m connlimit --connlimit-above 5 -j MARK --set-mark 60

Unfortunately though it still leaves 5 connections slurping up plenty of
bandwidth.

I have no ideas for number 2.

Anybody any ideas?

On my network all p2p traffic falls into these categories, and I don't mind
overmatching with other traffic.

Thanks,

Andy
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux