Cisco ASA - Blocking BitTorrent Traffic

cisco cisco-asa block bittorrent dmca
12,148

I have attempted to do this and ran into a few issues. The biggest was that most bittorrent clients these days will choose a random port outside of that range. Blocking just 6881-6999 is a start, but will be easily defeated. Even if you block all UDP and high ports, clients will eventually switch to port 80 and 443 (HTTP and HTTPS), which presumably you don't want to block.

I have not found a good way to entirely block bittorrent. Bittorrent has evolved and adapted around all kinds of blocks, and will continue to evade attempts to block it. I'm sure there is a way to use Deep Packet Inspection to identify and shut it down, but I haven't had a chance to look at that. And I'm not sure how successful that would be due to bittorrent clients using encryption by default now.

I have been using this code on my ASA to at least marginally help the situation. I'm sure this blocks other useful things, but I haven't had any complaints from users.

object-group service Blocked-UDP-Ports udp
 description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation)
 port-object range 10001 65535
 port-object range 1024 1193
 port-object range 1195 9999
object-group service BitTorrent-Tracker tcp
 description TCP Ports used by Bit Torrent for tracker communication
 port-object eq 2710
 port-object range 6881 6999

access-list inside_access_in extended deny udp any any object-group Blocked-UDP-Ports log warnings inactive
access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker log warnings inactive
Share:
12,148
CaseyIT
Author by

CaseyIT

Updated on September 18, 2022

Comments

  • CaseyIT
    CaseyIT over 1 year

    Due to DMCA takedown notices, trying to block bitTorrent traffic for client on a Cisco ASA 5520.

    ASA Software : 7.2 ASDM: 5.2

    The device is really just used for for NAT and VPN's currently. Is there a simple way to block bitTorrent TCP ports 6881-6999 on this device?

    • Tom O'Connor
      Tom O'Connor about 13 years
      You'd be better off using etherape to find the person responsible, and then fire them.
    • GregD
      GregD about 13 years
      On a side note, why haven't you upgraded your ASA? wags finger
  • Scott Pack
    Scott Pack about 13 years
    Good answer, beat me to it. The only "good" way is by using some kind of layer7 device, though even that is not foolproof. There are companies that specialize in products that block P2P....
  • CaseyIT
    CaseyIT about 13 years
    Thanks - Is it possible to do this in the ASDM GUI?
  • Tom O'Connor
    Tom O'Connor about 13 years
    Or a layer 8 device, perhaps a big stick?
  • minamhere
    minamhere about 13 years
    Scott, Do you have any suggestions or experience with any of those? While endlessly chasing down P2P users isn't something I actually want to waste my time with, this is on my list of future projects.
  • minamhere
    minamhere about 13 years
    Casey, You can do this in ASDM. Here are 2 screen shots that show what I'm doing. The first shot creates the object-groups for the port ranges. The second (rules 3 and 4) apply those groups to specific areas of the network, and deny said traffic: imgur.com/a/JEzTI

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why can I not ping my host behind the firewall? Cisco asa 5505
Cisco ASA 5510 needs "clear arp <Interface>" periodically to reach a single host
Is it possible to configure a Cisco AnyConnect VPN to use two separate LDAP authentication methods simultaneously?
Cisco ASA: Multiple static IPs on a single interface
Can't access shared drive when connecting over VPN
debugging ASA firewall rules (with or without ASDM)
Cisco ASA - Restrict IP for WebVPN access
Cisco asa 5505 to use internal DNS server
Cisco ASA 5505 - NAT or Port Forward for SIP / VoIP ver 8.4
Recently I configured a Site-2-Site VPN Tunnel and I'm getting this errors: