[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How can I stop kazaa, edonkey, emule, etc ??

Marina Brown wrote:

At the risk of wasting bandwidth, i too would like very much any solutions to block these "protocols".

Don't waste your time looking for a pf solution to this problem. Those days are gone, and you can thank the makers of kazaa v2 for creating software which deliberately evades policy rules (both outright blocks or rate-limiting by port). Their P2P network is more important than anything else on your network.

The remaining solutions I am aware of:

1) As mentioned by others, snort or other IDS.

2) man altq. Here is a very simple config to rate-limit a single abusive
user at to 256K both in and out:

$ cat /etc/altq.conf
interface xl0
conditioner xl0 af1x_cdnr <trtcm 128K 32K 256K 64K <pass><pass><drop>>
        filter xl0 af1x_cdnr 0 0 0 0
interface xl1
conditioner xl1 af1x_cdnr <trtcm 128K 32K 256K 64K <pass><pass><drop>>
        filter xl1 af1x_cdnr 0 0 0 0

changing the 2nd 'pass' in lines above will drop user to 128K.

The situation is bad and will likely get worse. I know of universities
that are scraping their coffers to buy PacketShapers ($10K USD each AFAIK)
when they really don't have the money for it. I would not recommend going
this route, because it is obvious to me what will happen in the next
version of kazaa- they will encrypt traffic and use tcp/443 by default. If
this scenario comes to pass, the last remaining technical solutions to the
problem will be gone (aside from simple host-based rate-limiting as in
altq.conf above)

Visit your host, monkey.org