Solved

Who's downloading peer-to-peer movies

Posted on 2011-03-14
15
364 Views
Last Modified: 2012-05-11
We have received three complaints so far forwarded to us through our ISP from Paramount Pictures claiming someone here is downloading movies illegally.  Each complaint will reference a specific movie.  I'm trying to find out who is downloading them, and not having any luck.  I'd also like to prevent it from happening, tried dropping bit torrent packets from my router, but Cisco says peer-to-peer software is pretty smart these days so blocking the packets just slows it down plus it intereferes wtih my online backup.

Let's mainly tackle the first question - how do I figure out who's downloading movies through my Internet pipe?

If we want to go a little further, we can deal with how to stop it.
0
Comment
Question by:tolenmay
  • 4
  • 4
  • 2
  • +4
15 Comments
 

Expert Comment

by:actiont
Comment Utility
Check your traffic logs for larger files, and open ports and what traffic is going on which port.  Close the ports that the torrents are passing through.
0
 
LVL 9

Expert Comment

by:dexIT
Comment Utility
Wireshark, Netprobe, websense, these are all great tools to use to discover network culprits
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
What kind of equipment do you have at your router/firewall? You could assume that the perp is accessing some of the standard websites for finding torrents and check for that. I don't know how to specifically watch for p2p traffic though.
0
 

Author Comment

by:tolenmay
Comment Utility
When I used wireshark, it didn't show anything at the time, but if a user wasn't actively dowloading, it probably wouldn't.  
I have a Cisco PIX firewall, not any Websense equipment.
I just implemented Web Protection using McAfee Software as a Service where it sends the browsers through a proxy.  I don't know if peer to peer software would go through that proxy or not, but I'm checking the logs to see where they might be finding the torrents.  Where might I find a list of the sites to check?
0
 

Assisted Solution

by:actiont
actiont earned 100 total points
Comment Utility
turn off NAT and force everyone to use that Proxy which will only allow access to HTTP/HTTPS.  You can also block anything with "torrent" in the name.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
If Macafee can block filetypes
http://en.wikipedia.org/wiki/Torrent_file
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 200 total points
Comment Utility
Sidenote: I could personally get around all the stuff we are talking about here. So what is the real goal? I think it's to not get letters from the ISP and not get sued. So maybe this problem is easier handled by some simple employee education.
Hey guys. One of you has downloaded movename and I don't know If you even bothered to install peergaurdian but the movie company noticed and sent is a letter. Any money we spend to block this type of activity and pay a lawyer to fight the movie company is money out of all your paychecks. So quit it.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:tolenmay
Comment Utility
actiont - I like the sound of that.  How do I turn off NAT, block the word "torrent" and only allow HTTP/HTTPS?   I'm doing it through the outbound firewall?  It's a Cisco 1841 router with PIX.
0
 

Author Comment

by:tolenmay
Comment Utility
Does peerguardian even block the single address people would see from a client browsing through our firewall?
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 200 total points
Comment Utility
Peerguardian blocks your computer from connecting to lists of other ips. Like a blacklist. There are other apps like blocklist manager that do the same thing.
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 100 total points
Comment Utility
nmap can help find out the traffic hogs.

As for better outbound control, block all outgoing traffic at the firewall.  Set up a squid proxy and only allow that through the firewall.  Force everyone to use the proxy server to get access to the Internet.

How you implement that depends a little on how many machines we are talking about and the rest of the network infrastructure, but it might get you started.

P.S. It could be someone "unknowingly" is doing it.  They started it at home on their laptop, brought the laptop in to work and didn't realize that the torrent client continued to do it's thing.
0
 
LVL 2

Accepted Solution

by:
Hapexamendios earned 100 total points
Comment Utility
Hi,

Just reinforcing the advice you've had, I think, but:

What type of proxy are you using for the users?
Do your firewall rules currently allow traffic out from the network which users' computers are on?

If your computers are all on one subnet this could be tricky. However, as stated above, you might want to:

Force everyone to use a proxy -can set it manually if you have a small number of computers, or use Group Policy if you're a Windows environment and have Active Directory.
At the firewall, allow only the proxy to connect out to the net, and only on port 80 and prot 443. You'll probably need to allow mroe ports than this, as many sites use non-standard ports for HTTP or HTTPS, but this will get you started.

So your firewall rules should have a "deny all" rule that covers anything you don't explicitly allow, and you'll want to at least disable any rules which allow other traffic out. If your servers are on separate subnets, and you need direct connectivity for them, you can use the subnetting as a means of grouping things in your firewall rules.

Meanwhile the proxy typically won't, by default, accept connections on the non-standard ports p2p cloients use by defauilt, and its logs should show both the connection attempts and the client IP from which they came.

HTH,
0
 

Author Comment

by:tolenmay
Comment Utility
These are all great suggestions!  It's going to be difficult to assign points on this one.  Recently, because of this incident, we've started implementing McAfee's WDS connecter as a squid proxy.  Only reason I  haven't locked down traffic to the firewall is that the WDS connector was stopping often when quite a few people were using it (we're not THAT big - only 75 users) and everyone would lose Internet access.
Yes, all the computers are on one subnet, the servers as well as the clients, and there's a Cisco PIX firewall between them and the Internet.
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now