Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3234
  • Last Modified:

Bittorrent is getting around Cisco Nbar

Half my of my DS3 bit rate is unknown with nbar protocol-discovery. I know this traffic is bittorrent is there any think else I can to rate limit it with Cisco? Or do I need to look at a different product? The problem is that cisco nbar is not seeing the bittorent.

Cisco 3845 with Version 12.4(21a)

class-map match-any P2P
match protocol bittorrent
match protocol gnutella
match protocol edonkey
match protocol kazaa2
match protocol fasttrack
match protocol directconnect
match protocol winmx
match protocol custom-01
policy-map P2P
class P2P
police cir 40000
conform-action transmit
exceed-action drop
violate-action drop

giga 0/0 is the network side
giga 0/1 internet side

The setup is all correct.

sh policy-map int giga 0/1

Class-map: P2P (match-any)
3094246 packets, 405621021 bytes
5 minute offered rate 84000 bps, drop rate 44000 bps
Match: protocol bittorrent
2012067 packets, 323545868 bytes
5 minute rate 59000 bps
Match: protocol gnutella
50716 packets, 10618062 bytes
5 minute rate 4000 bps
Match: protocol edonkey
1016563 packets, 68773980 bytes
5 minute rate 20000 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
209 packets, 26453 bytes
5 minute rate 0 bps
Match: protocol directconnect
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol custom-01
14690 packets, 2656604 bytes
5 minute rate 0 bps
cir 40000 bps, bc 1500 bytes, be 1500 bytes
conformed 2539939 packets, 198667831 bytes; actions:
exceeded 17316 packets, 3979007 bytes; actions:
violated 536991 packets, 202974183 bytes; actions:
conformed 39000 bps, exceed 0 bps, violate 44000 bps

Class-map: class-default (match-any)
61657129 packets, 25490943500 bytes
5 minute offered rate 4702000 bps, drop rate 0 bps
Match: any

interface GigabitEthernet0/1
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
no ip mroute-cache
duplex full
speed 100
media-type rj45
no cdp enable
no mop enabled
service-policy output P2P

show ip nbar protocol-discovery stats bit-rate top-n 10

Input Output
----- ------
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 30624000 923000
bittorrent 1185000 69000
edonkey 985000 23000
secure-http 237000 92000
rtsp 239000 4000
smtp 41000 127000
h323 98000 3000
dns 36000 11000
novadigm 0 31000
secure-pop3 21000 3000
unknown 5217000 3592000
Total 38725000 4888000
1 Solution
It may be encrypted BitTorrent traffic which defeats NBAR.

There may be other products/methods like SCE / NetEnforcer / Sandvine
that can deal with Encrypted  BitTorrent traffic.

I would suggest using NBAR to rate-limit unencrypted bittorrent traffic,
and take other measures to  ban/penalize any hosts participating in encrypted bittorrent traffic.

Drop all non-http traffic and you're set. :)
Until they start using port 80 for bittorrent traffic...

You need to actually analyze the port 80 traffic somehow to make sure it's actually HTTP and the 'CONNECT'  method isn't being used
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

bobertperryAuthor Commented:
Sadness.  I thought for some reason NBAR did analyze each packet.  Do you guys know anything about http://www.lowth.com/rope/BlockingBittorrent   Think I could use that but not block, just rate limit? preferably just the upload?
NBAR DOES analyze each packet...but if a packet is encrypted, NBAR can't tell what it is, so the analysis doesn't give you a useful result for encrypted packets.
With Linux and Rope  you can change the rule from  -j DROP
to apply a custom chain.

But if the bittorrent traffic isn't encrypted,  Cisco NBAR  should be perfectly capable of  identifying it.

If the setup packet is encrypted, that Rope script isn't going to identify the ccommunication as BitTorrent.
I have similar problem and would like to get help for the same problem of encrypted BitTorrent.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now