Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 387
  • Last Modified:

Who's downloading peer-to-peer movies

We have received three complaints so far forwarded to us through our ISP from Paramount Pictures claiming someone here is downloading movies illegally.  Each complaint will reference a specific movie.  I'm trying to find out who is downloading them, and not having any luck.  I'd also like to prevent it from happening, tried dropping bit torrent packets from my router, but Cisco says peer-to-peer software is pretty smart these days so blocking the packets just slows it down plus it intereferes wtih my online backup.

Let's mainly tackle the first question - how do I figure out who's downloading movies through my Internet pipe?

If we want to go a little further, we can deal with how to stop it.
0
tolenmay
Asked:
tolenmay
  • 4
  • 4
  • 2
  • +4
5 Solutions
 
actiontCommented:
Check your traffic logs for larger files, and open ports and what traffic is going on which port.  Close the ports that the torrents are passing through.
0
 
dexITCommented:
Wireshark, Netprobe, websense, these are all great tools to use to discover network culprits
0
 
Aaron TomoskyTechnology ConsultantCommented:
What kind of equipment do you have at your router/firewall? You could assume that the perp is accessing some of the standard websites for finding torrents and check for that. I don't know how to specifically watch for p2p traffic though.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
tolenmayAuthor Commented:
When I used wireshark, it didn't show anything at the time, but if a user wasn't actively dowloading, it probably wouldn't.  
I have a Cisco PIX firewall, not any Websense equipment.
I just implemented Web Protection using McAfee Software as a Service where it sends the browsers through a proxy.  I don't know if peer to peer software would go through that proxy or not, but I'm checking the logs to see where they might be finding the torrents.  Where might I find a list of the sites to check?
0
 
actiontCommented:
turn off NAT and force everyone to use that Proxy which will only allow access to HTTP/HTTPS.  You can also block anything with "torrent" in the name.
0
 
Aaron TomoskyTechnology ConsultantCommented:
If Macafee can block filetypes
http://en.wikipedia.org/wiki/Torrent_file
0
 
Aaron TomoskyTechnology ConsultantCommented:
Sidenote: I could personally get around all the stuff we are talking about here. So what is the real goal? I think it's to not get letters from the ISP and not get sued. So maybe this problem is easier handled by some simple employee education.
Hey guys. One of you has downloaded movename and I don't know If you even bothered to install peergaurdian but the movie company noticed and sent is a letter. Any money we spend to block this type of activity and pay a lawyer to fight the movie company is money out of all your paychecks. So quit it.
0
 
tolenmayAuthor Commented:
actiont - I like the sound of that.  How do I turn off NAT, block the word "torrent" and only allow HTTP/HTTPS?   I'm doing it through the outbound firewall?  It's a Cisco 1841 router with PIX.
0
 
tolenmayAuthor Commented:
Does peerguardian even block the single address people would see from a client browsing through our firewall?
0
 
Aaron TomoskyTechnology ConsultantCommented:
Peerguardian blocks your computer from connecting to lists of other ips. Like a blacklist. There are other apps like blocklist manager that do the same thing.
0
 
mccrackyCommented:
nmap can help find out the traffic hogs.

As for better outbound control, block all outgoing traffic at the firewall.  Set up a squid proxy and only allow that through the firewall.  Force everyone to use the proxy server to get access to the Internet.

How you implement that depends a little on how many machines we are talking about and the rest of the network infrastructure, but it might get you started.

P.S. It could be someone "unknowingly" is doing it.  They started it at home on their laptop, brought the laptop in to work and didn't realize that the torrent client continued to do it's thing.
0
 
HapexamendiosCommented:
Hi,

Just reinforcing the advice you've had, I think, but:

What type of proxy are you using for the users?
Do your firewall rules currently allow traffic out from the network which users' computers are on?

If your computers are all on one subnet this could be tricky. However, as stated above, you might want to:

Force everyone to use a proxy -can set it manually if you have a small number of computers, or use Group Policy if you're a Windows environment and have Active Directory.
At the firewall, allow only the proxy to connect out to the net, and only on port 80 and prot 443. You'll probably need to allow mroe ports than this, as many sites use non-standard ports for HTTP or HTTPS, but this will get you started.

So your firewall rules should have a "deny all" rule that covers anything you don't explicitly allow, and you'll want to at least disable any rules which allow other traffic out. If your servers are on separate subnets, and you need direct connectivity for them, you can use the subnetting as a means of grouping things in your firewall rules.

Meanwhile the proxy typically won't, by default, accept connections on the non-standard ports p2p cloients use by defauilt, and its logs should show both the connection attempts and the client IP from which they came.

HTH,
0
 
tolenmayAuthor Commented:
These are all great suggestions!  It's going to be difficult to assign points on this one.  Recently, because of this incident, we've started implementing McAfee's WDS connecter as a squid proxy.  Only reason I  haven't locked down traffic to the firewall is that the WDS connector was stopping often when quite a few people were using it (we're not THAT big - only 75 users) and everyone would lose Internet access.
Yes, all the computers are on one subnet, the servers as well as the clients, and there's a Cisco PIX firewall between them and the Internet.
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 4
  • 4
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now