JuniperForum.com

Security => IDP => Topic started by: krisdpo on October 05, 2009, 08:03:27 pm

Title: Blocking limewire
Post by: krisdpo on October 05, 2009, 08:03:27 pm
Hi guys,

Good Day!
On my experience, IDP50 can't seem to block limewire, do everybody got the same experience? There is a signature of P2P:Limewire Freewire but still I could connect/search/download using Limewire. Help pls. Thanks
Title: Re: Blocking limewire
Post by: Capt_Winters on October 09, 2009, 04:59:29 am
what firmware version your idp50 is running...

is your attack databasse updated?
Title: Re: Blocking limewire
Post by: signal15 on October 09, 2009, 11:00:14 am
A lot of P2P apps try all sorts of crazy stuff to get out and make a connection.  The best way to block them most of the time is to rate limit them down so low that they are unusable.  That way, they make a connection and don't try to evade the filters or other mechanisms that would block them.
Title: Re: Blocking limewire
Post by: ScottDennis on July 09, 2010, 07:49:22 am
The problem with P2P software is that it uses encryption on the packets. Juniper's IDP blocks the connection not the encrypted packets. What this means is if the software is able to make the connection before the IDP sees the login packet then the IDP cannot inspect the packets to block them. As signal15 was saying they use several ways to make a connection. Juniper has documentation on creating custom signatures. All you need is to you get a packet capture of the packet(s) making the connections and take the payload then create your own custom signature.    ;) 

Please note:
Juniper does not help you create custom signatures.
Title: Re: Blocking limewire
Post by: autonym on April 26, 2011, 06:58:57 pm
These days a lot of the P2P apps are also "multi-network" and while you're running the "LimeWire" P2P app, it may be running BitTorrent/DHT as well as its native protocol.  It's important if you're serious about blocking P2P that you use all the P2P sigs to block, and not just the one specific to the app you're testing.

A good trick to do is to load up all the DHT sigs (and there are a few, including a DHT-BIN sig) and use the IDP Action feature to perma-block remote host IP's that match on those DHT sigs.

Like Scott said, a lot of P2P's are going encrypted now, which is very hard to detect and/or block.  But by nipping those guys in the bud, so to speak, by hitting them at the DHT-level, they never get to know each other well enough to do the encrypted stuff later on.