Managing Peer-to-Peer Traffic In Network Environments


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing Peer-to-Peer Traffic In Network Environments

  1. 1. Managing Peer-to-Peer Traffic In Network Environments Wayne Blackard 503157-001 06/05
  2. 2. Introduction In a relatively short amount of time, the “killer app” of the Internet has evolved from E-mail to Web browsers to Peer-to-Peer. The ability to digitize music and video, combined with the ability to easily obtain these digital files freely, has transformed Peer-to-Peer applications into the most popularly downloaded software on the Internet. Kazaa Media Desktop, one of the most popular Peer-to-Peer applications, claims an install base of over 60 Million. Reports from Kazaa show users have downloaded the application more than 200 Million times. Logging into the Kazaa network (FastTrack) on a typical day displays a network of 4 to 5 millions users, sharing thousands of Petabytes of data (one Petabyte equals 1,000 Terabytes).1 This amount of transferred data can completely choke a network, consuming all available bandwidth. Recent studies suggest that Peer-to-Peer traffic can consume up to 60% of a service provider’s network. Peer-to-Peer (P2P) applications impede network traffic of businesses, governments, education, and the Internet infrastructure itself. These applications consume vast amounts of network resources, and prevent mission critical applications from accessing the network. In addition, hackers seek to exploit P2P applications to access and attack the large install base, presenting serious security vulnerabilities to systems and networks. These applications also pose a serious legal issue as users download copyrighted material, placing access providers in a difficult legal situation. As a result, these applications create a logistic, security, and legal nightmare for network administrators on high-speed networks. To protect networks from excessive bandwidth consumption and malicious attacks, Intrusion Prevention Systems can be incorporated to control Peer-to-Peer applications and network traffic. The TippingPoint Intrusion Prevention System (IPS) operates in-line in a network, blocking malicious traffic, proactively protecting a network beyond passive detecting and alerting. The TippingPoint IPS solution analyzes active connections and scans incoming and outgoing requests and traffic. If the system detects a potential threat or traffic from an unwanted application (such as Kazaa and IM), the IPS blocks the traffic entirely, sending alerts to the logs for reporting. Legitimate traffic passes unhindered through the system at full network speed with microsecond latency; ensuring critical data is timely received. With the addition of traffic management capabilities, an IPS system can identify and manage Peer-to- Peer traffic in a network. The TippingPoint IPS includes a number of features and engine capabilities to protect a network and manage traffic. At the core of the TippingPoint IPS is the custom-ASIC based Threat Suppression Engine (TSE). The TSE provides features for managing this traffic, including IP defragmentation, TCP flow reassembly, statistical analysis, traffic shaping, flow blocking, flow state tracking, and application-layer parsing of over 170 network protocols. Peer-to-Peer Architectures Every Peer-to-Peer network uses one of three types of architectural formats. These formats may include peers and servers. A peer can be a user’s computer, running a P2P client. These workstations enact searches for files, provide files for upload and download, and send files to fulfill requests. A server provides features for peers to enter available files, compiles lists of the available files, responds to searches received from peers, and, depending on the architecture, aids in uploading and downloading files through firewalls. Two of the architectures provide options for peers to become servers on the network. The following sections provide in-depth information about the architectures used by these P2P applications: Centralized Architecture — Central server responds to peer requests De-centralized Architecture — Multiple peers respond to requests from other peers on the network Hybrid Architecture — Multiple servers (SuperNodes) respond to requests by communicating with servers on the network, compiling and sending responses through the primary server first queried
  3. 3. The Internet offers many Peer-to-Peer applications and plug-in options. The following list details the popular Peer-to-Peer applications used throughout the world (listed by network): FastTrack Network: KaZaA, Imesh, Grokster, Kazaa Lite K++ Gnutella Network: Ares Galaxy (old), BearShare, Gnucleus, NeoNapster, Limewire, Freewire, Morpheus, Mutella, MyNapster, Phex, QtraxMax, Shareaza, Xolox eDonkey2000 Network: eDonkey, Overnet, eMule, xMule, Mldonkey BitTorrent Network and Application WinMX Network and Application Ares Galaxy Network: Ares Galaxy (new), Warez Manolito Network: Blubster, Piolet, RockItNet Direct Connect Network: Direct Connect, DC++ Soulseek Network and Application Internet Web Sites Network: Twister EarthStation 5 Network and Application Centralized Architecture The centralized architecture is similar to the pervasive Client/Server model used in many applications today, such as Web servers, application servers, and databases. In this architecture, the Peer-to-Peer application executing on the peer systems establishes a persistent connection to the central server. Users log into this central server to Peer Peer access the network. The peer system transmits a directory listing of all available items for sharing and downloading. The Central Server maintains a database of all shared items. When the server receives requests, it responds with a listing of available matches and contact information of the host, such as an IP address and port number. When a user selects an item to download, the Central downloading peer contacts the hosting peer directly, transferring the Server file peer-to-peer. In sophisticated networks, the Peer-to-Peer application sends a unique identifier (such as a hash number) for each shared item. The central server sends the Peer-to-Peer application a list of peers hosting identical items. In this architecture, Login & the Peer-to-Peer application establishes connections to multiple Search peers and downloads sections of the file simultaneously, which the P2P application reassembles. File Transfer Typically, the central server does not transfer the file between the Peer Peer peers. However, some network architectures benefit from Figure 1: Centralized Architecture incorporating a central server to handle downloads as well as requests. At times, the downloading peer cannot establish a connection to the hosting peer because it resides behind a corporate or personal firewall. In this situation, the central server sends a command to the hosting peer to connect to the downloading peer. The downloading peer then contacts the hosting peer directly through the assistance of the central server, transferring the file peer-to-peer. If both peers are behind firewalls, the application cannot perform file transfers. The centralized architecture provides excellent performance for search requests and is popular in smaller networks where the community controls user access. However, the centralized architecture does not scale adequately to large networks and suffers a severe weakness with the central server. Hackers and malicious attacks can easily disable Peer-to-Peer Networks built on the centralized architecture by attacking and disabling the central server. The first generation Napster network used the centralized architecture (site was shut down in 2000 due to lawsuits2).
  4. 4. De-centralized Architecture The de-centralized architecture uses a distributed computing model in which each peer is an equal within the network. The de-centralized architecture does not contain a central server, which purist administrators would consider a “true” Peer-to-Peer network. In this architecture, the P2P application executing on peer systems establishes persistent connections to peers within the network. The peer system sends search requests to each of the Login & persistent connections on the network, broadcasting out Peer Search Peer from the central connection. Matches to the search request return to the requestor from each peer, detailing contact information (such as IP address and port number) for hosting peer. When a user selects an item to download, the downloading peer contacts the hosting peer directly. In response, the host transfers the file between the two peers. As in the Centralized Architecture, advanced Peer-to-Peer applications can establish connections to multiple peers and download sections of the file simultaneously from the multiple hosts. When complete, the P2P application reassembles the file. The de-centralized architecture offers two primary advantages over the centralized approach. First, this architecture scales to large networks of peers. Secondly, File Transfer Peer Peer malicious attackers cannot easily disable the de-centralized approach due to the distributed control. The disadvantage to Figure 2: De-centralized Architecture de-centralized networks is the significantly longer time required to perform search operations. Network communities refer to the de-centralized architecture as the “second generation” of Peer-to-Peer networks. Hybrid Architecture The hybrid architecture combines the centralized and de-centralized approaches into one architecture. The hybrid architecture introduces the concept of a SuperNode (also known as an UltraPeer). The SuperNode functions in a similar function to the central server of the Centralized Architecture. In this architecture, SuperNodes are geographically dispersed to create a larger network. The Peer-to-Peer application executing on the peer systems establishes a persistent connection to one or more SuperNode(s) and transmits a directory listing of the items available for sharing on the peer system.
  5. 5. Peer Peer Peer Peer File Transfer Super Search Super Node Node Login & Login & Search Search Peer Peer Peer Peer File Transfer File Transfer Peer Peer Peer Peer File Transfer Super Search Super Node Node Optional Login & Login & Search Search File Transfer Network Peer Peer Peer Peer Server Figure 3: Hybrid Architecture Each SuperNode maintains a database of shared items. The P2P application sends requests to the SuperNodes, which forward to additional SuperNodes. The primary server compiles the responses and sends the peer a list of matches and host contact information (such as IP address and port number). When a user selects an item to download, the downloading peer contacts the hosting peer directly and transfers the file between the two peers. As in the other architectures, advanced Peer-to-Peer applications can establish connections to multiple peers and download sections of the file simultaneously from the multiple hosts. The Peer-to-Peer application reassembles the sections into a complete file. Typically, the SuperNode does not transfer the file between the peers. However, as with the Centralized Architecture, the SuperNode aids connections and transfers when the hosting peer resides behind corporate or personal firewalls. In this architecture, the SuperNode sends a command to the hosting peer to connect to the downloading peer. The downloading peer contacts the hosting peer directly with the aid of the SuperNode and transfers the file between the two peers.
  6. 6. Compared to central servers, SuperNodes are more dynamic. These servers are typically “promoted” from a peer that has a fast CPU, high bandwidth access to the Internet, and capable of supporting 200- 300 simultaneous connections. SuperNodes maintain a list of available SuperNodes and transmit this list on a regularly to all peers connected to the P2P network. Peer systems caches the information, loading the updated link lists during startup. Another option for Hybrid networks employs a network portal server into the architecture. The network portal, typically owned and provided by the “owner” of the network, hosts Web services for the P2P network. Services can include a home page with news, forums, chat, or instant messaging options and typically functions as an advertisement server to deliver ads to the Peer-to-Peer clients, thereby generating revenue for the owner of the network. The network server may also act as a registration server for users to log into the network and distributes the initial SuperNode IP addresses to new Peer-to-Peer clients. The hybrid architecture offers the best of both the centralized and the de-centralized approaches. Like the Centralized Architecture, the Hybrid provides excellent performance for search requests, even in a large distributed network. The hybrid architecture scales to large networks of peers. As with the de-centralized approach, the hybrid network cannot be easily disabled due to the distributed and dynamic nature of the SuperNodes. Network communities refer to the hybrid architecture as the “third generation” of Peer-to- Peer networks. Peer-to-Peer Network and Applications Internet users can choose from a wide range of Peer-to-Peer services. Each application provides different functions and options to download and transfer files, file host services, and search features. The following sections detail some of these Peer-to-Peer applications: FastTrack Network —Uses a hybrid network architecture employing a network portal and supports P2P applications such as Kazaa and iMesh Gnutella Network — Uses a de-centralized architecture and supports P2P applications such as Morpheus and MyNapster eDonkey2000 — Uses a hybrid network architecture and supports P2P applications such as eDonkey/Overnet and eMule BitTorrent — Uses a form of hybrid architecture and supports the BitTorrent P2P application WinMX — Uses a hybrid architecture and supports the WinMX P2P application Ares Galaxy — Uses a hybrid architecture and supports application such as Ares Galaxy and Warez Manolito — Uses a hybrid architecture and supports application such as Blubster and Piolet DirectConnect — Uses a centralized architecture and supports application such as DirectConnect and BCDC++ Twister — Provides a search engine for locating music files on the Internet EarthStation 5 — Uses a centralized architecture and supports the EarthStation 5 application FastTrack Network The FastTrack Network was created in 2001 by a Dutch company named KazaA BV. Sharman Networks owns and controls the network. For more information on FastTrack’s history, visit The FastTrack network uses a Hybrid Architecture, including peers, SuperNodes, and a network portal. The FastTrack clients ship with a known set list of SuperNodes. Once the client initializes and connects to the network, the P2P application receives an updated list of SuperNodes. Any peer system can be promoted to SuperNode status. The FastTrack network is popular due to large number of users with extensive music/video files, performance of the search requests, and fast file transfer speeds. Another popular feature of the network supports multiple, simultaneous downloads; however, the FastTrack network uses a problematic UUhash
  7. 7. algorithm. The UUhash algorithm calculates a hash value from parts of the file rather than using the entire file. The algorithm scans the first 300,000 bytes of roughly every 2 Megabytes. This approach allows for faster computation of the hash value but leaves significant parts of the file unprotected. Hackers have exploited this vulnerability to spread corrupt, fake files on the network, much to the chagrin of users on the network. The FastTrack Network includes four clients: Kazaa Media Desktop (aka KMD or Kazaa) iMesh Grokster Kazaa Lite K++ Kazaa Media Desktop (KMD) is one of the most popular Peer-to-Peer applications and the most popular FastTrack client. The application has been downloaded more than 200 Million times and claims an install base of over 60 million users. Logging into the Kazaa network (aka FastTrack) on a typical day reveals a network of 4 to 5 millions users sharing thousands of Terabytes of data. For more information about KMD, see KMD is freely available; however, the application installs large amounts of spyware and adware to generate revenue for Sharman Networks. Sharman Networks also provides a paid subscription service for the legal download of copyrighted materials. iMesh, from an Israeli company by the same name, started as a centralized community. It later evolved to the FastTrack network and supports over a million users. iMesh, like KMD, is available freely and downloads with and installs Spyware and adware to generate revenue for iMesh. For more information about iMesh, see Slyck's Guide to FastTrack ( The Grokster client was developed from KaZaA BV licensed software, which makes it almost identical to KMD. However, Grokster is notorious for bundling extensive spyware and adware applications with its client. The application also modifies browser configurations when installed. Kazaa Lite is a modified version of KMD. Programmers modified the KMD binary code to remove the spyware and adware. For this reason, Kazaa Lite has been popular with users accustomed to the FastTrack network. Sharman Networks has been fighting the availability of the modified software, causing many Web sites to remove the Kazaa Lite client. Ironically, the application is widely available over the FastTrack Network. Gnutella Network Two programmers working for a subsidiary of AOL started the Gnutella Network in 2000. Eventually, the code moved to open source and has proliferated over the Internet. With the application on open source, one entity does not own or operate the network. For more information on Gnutella’s history, see The original Gnutella Network began using the De-centralized Architecture as a means to avoid the legal issues and ultimate shutdown, which occurred to Napster. In this network, a Gnutella peer locates other nodes on the network using the following methods: Gnutella software ships with a list of permanent nodes The application queries to a GWebCache server The application queries to other connected nodes for list of current nodes The application monitors Gnutella messages for lists of nodes. A GWebCache Server is a script program placed on any Web server, storing IP addresses of hosts in the Gnutella network and URLs of other caches. A Gnutella client reads and writes the IP addresses of nodes to the Web server using GWebCache Protocol (GWC). The Gnutella client maintains a persistent cache of the IP addresses of known peers providing for efficient system startup.3
  8. 8. Eventually the Gnutella network encountered scaling issues with the de-centralized architecture and introduced the concept of UltraPeers. UltraPeers are equivalent to SuperNodes in the Hybrid Architecture. As with the FastTrack network, any peer meeting the performance requirements can be promoted to an UltraPeer. Unlike FastTrack, the Gnutella Network does not use a portal server. With the scalability issues solved by the UltraPeers, the popularity of the Gnutella soared. Due to its open source roots, numerous clients are available that run on several platforms (including Windows, Linux, and Mac OS). Open source developers also removed any Spyware and Adware that other P2P bundles may include. The Gnutella network supports the following applications: Application Operating System BearShare Windows platform Gnucleus Windows platform (C++) NeoNapster Windows platform Limewire Cross platform (Java) Freewire Windows platform (Java) Morpheus Windows platform. Also connects to Gnutella2 (a newer protocol for Guntella networks), FastTrack and eDonkey2000. Mutella Unix/Linux; offers a command line interface MyNapster Windows platform Phex Cross platform (Java) QtraxMax Windows platform Shareaza Windows platform, open source. Also connects to Gnutella2, eDonkey2000 and BitTorrent. Xolox Windows platform. Also connects to Gnutella2, FastTrack and eDonkey2000. Of the listed clients, Morpheus has the longest and most interesting history. Morpheus began as a Web- based client for the OpenNap network, which was shut down with Napster. MusicCity, which developed Morhpeus, then licensed the FastTrack software from KaZaA BV and rewrote the client to connect to the FastTrack network. Using the FastTrack network, Morpheus became a popular and heavily downloaded application. In February 2002, KaZaA BV modified the FastTrack network to exclude Morpheus clients due to a licensing/monetary dispute with MusicCity. After FastTrack restricted access, MusicCity (also known as StreamCast) rewrote the Morpheus client to use the open source Gnutella software. Quickly, Morpheus became a popular Gnutella client. Morpheus has since expanded to connect to Gnutella2, eDonkey2000, and FastTrack networks. eDonkey2000 Network The eDonkey2000 network (also known as Overnet) uses a Hybrid Architecture with clients (peers) and servers (SuperNodes). The eDonkey2000 Client includes a known set of servers to contact. When the client initializes and connects to one of the Severs, the application retrieves a current list of servers. On the eDonkey2000 network, separate, specialized software is required to operate the servers. eDonkey2000 servers are privately owned and maintained. Like the FastTrack network, the eDonkey2000 network is highly popular due to the large number of users with music/video files, performance of search requests, and fast file transfer speeds. eDonkey2000 was one of the first networks to support multiple, simultaneous downloads. eDonkey2000 uses a hash to uniquely identify files for simultaneous downloads, which is an industry standard algorithm MD4. Unlike Uuhash, this algorithm hashes the entire file, preventing file corruption issues. eDonkey2000 separates the file into 9 MB sections for efficient scanning. The performance of eDonkey2000 downloads has made the software popular for downloading large files such as videos and warez (a computer slang term for copyrighted material such as games or software).
  9. 9. eDonkey2000 also supports the ability to hyperlink (called ed2k-links) directly to files on the Peer-to-Peer network. Users can e-mail or post the links on Web pages. When a user clicks on the ed2k-link, the eDonkey2000 client initiates and downloads the file directly from the specified peer(s). Many Web sites exist on the Web today that host numerous ed2k-links to music, videos and warez. The following is an example of an ed2k link: ed2k://|file|overnet0.50.1.exe|1225593|9aceac18177fc86d18be5e1c19750408| ed2k://|file|fileName|fileSize|fileHash|(optional params)|(optional params)|etc| Due to the speed of the file downloads for larger files (i.e. videos) and the dissatisfaction with corrupted files on the FastTrack network, the popularity of eDonkey2000 clients has raised sharply. While FastTrack holds majority of usage in the United States, eDonkey has become the preferred P2P network in Europe.4 The eDonkey2000 Network includes primarily the following four clients: Client Operating System eDonkey / Windows, Mac OS X and Linux platforms Overnet eMule Windows platform xMule eMule version for Linux and BSD platforms Mldonkey Windows, Mac OS X and Linux platforms. Also connects to BitTorrent, Gnutella, Gnutella2, FastTrack, Soulseek, Direct-Connect, and OpenNap. BitTorrent Network The BitTorrent Network uses a unique architecture. While some features map to the Hybrid Architecture, BitTorrent closely resembles the eDonkey2000 network. The BitTorrent network includes peers and trackers. The trackers are somewhat analogous to the server in an eDonkey2000 network; however, the trackers manage downloads of the file blocks for downloading peers. The search capability is a separate function from the BitTorrent network, typically performed through Web searching or link posting on Web pages and in e-mails. When a user wants to share a file over the BitTorrent network, they create a .torrent file. The torrent file contains the file name, file size, hashes, and IP address of the tracker. The hashes are the industry standard SHA1 hash of each block within the file, typically separated into 250 KB blocks. To distribute the file, a complete copy of the file is uploaded on a “seed” node running the BitTorrent client. The seed node communicates the availability of the file to the tracker specified in the torrent file. When a user decides to download the file, they click on the torrent file. The BitTorrent client executes and contacts the tracker specified in the torrent file, which maintains a list of available peers providing download/upload of the file. The tracker sends updates of the list of peers transferring the file to each peer involved in the transfer. The peer attempts to connect to each of the listed peers. After a connection establishes, the two peers inform each other of the blocks of the file. Each peer randomly selects a block to download from the other peers. As each peer downloads, the systems also upload from the blocks, which it previously retrieved from other peers. The following figure details the simultaneous upload/download action, or “swarm.”
  10. 10. Figure 4: Example of a BitTorrent Swarm The selection of which block of data to download is important to the efficiency of the swarm process. If every peer selected blocks sequentially, the same set of blocks would be available on all systems. By randomly selecting blocks to retrieve from the seed node and from other peers, the file distributes widely across all peers, which optimizes the transfer of each block. Requests for the blocks are sent in 16 Kilobyte chunks, and multiple requests are pipelined through the TCP stack to avoid delays.5 With the functionality of the “swarm” and because all nodes involved are transferring a single file or collection of files, the BitTorrent file transfers are extremely fast. As with eDonkey, the file transfer performance of BitTorrent has made it highly popular with users downloading videos and warez. In some networks, BitTorrent accounts for half of the Peer-to-Peer traffic.6 BitTorrent is also popular with entities that need to legally distribute large files. Web sites use BitTorrent to distribute various Linux distributions. BitTorrent is written in Python with various clients ported to Windows, Mac OS X, and Linux. WinMX Network The WinMX software is one of the oldest Peer-to-Peer clients. WinMX began as a client for the Napster and OpenNap networks; however, when the Naptser and OpenNap networks were shutdown by the RIAA in 2000-2001, WinMX was re-written by Frontcode Technologies to form a new network using the WinMX Peer Network Protocol (WPNP). The WinMX network uses a Hybrid Architecture with clients (peers) and WPNP servers (SuperNodes). The WinMX client installs with a known set of WPNP servers to contact. When the client initializes and connects to a WPNP server, the system retrieves and caches a current list
  11. 11. of WPNP servers. The WinMX client allows the user to manage the WPNP servers accessed by the application. Any WinMX peer can become a WPNP server, which is configurable by the user. Like the FastTrack network, the WinMX network is popular due to the number of users, the performance of the search requests, and the fast file transfer speeds. WinMX supports multiple, simultaneous downloads and hashes the entire file, which prevents file corruption issues. The WPNP protocol also encodes the packets with an XOR (Exclusive OR binary operator) algorithm. The first byte is XOR encrypted with the packet length or the last byte, which then XOR encrypts each subsequent byte with the previous byte. The process repeats five times with the packet length used on the first pass and the last byte used on the next four passes. WinMX client software does not contain spyware and offers a large install base that is second only to the FastTrack network. The WinMX network currently has approximately six million users.7 It is highly popular in Japan based on the software’s double byte character support. Active development on the network and protocol has slowed in the last couple of years; however, the network remains popular. Ares Galaxy Network Ares Galaxy began as a Gnutella client. It was rewritten in late 2002 to become the current Ares Galaxy Network. The Ares Galaxy network uses a Hybrid Architecture with leafs (peers) and SuperNodes. The Ares Galaxy clients ship with a set of SuperNodes to contact. Once the Client initializes and connects to a SuperNodes, the application receives a current list of SuperNodes. Cache Servers maintain an active list of SuperNodes which are stable SuperNodes having higher than the average uptime. As on the KaZaA network, any leaf with a fast network connection, powerful CPU and enough RAM memory can elect to become a SuperNode. Ares Galaxy hashes the entire file, which prevents file corruption issues. The application hashes the shared files at installation time using the industry standard Secure Hash Algorithm (SHA1). The search methodology differs slightly than other hybrid architectures. Searching for a file requires two steps: 1. A keyword search that returns results containing file names, file details and hash values, but no IP addresses (download sources) 2. A hash search that returns fresh download sources (IP addresses) Similar to BitTorrent, Ares Galaxy supports swarming, the simultaneous downloads and uploads from one to multiple peers. Ares Galaxy also supports the ability to hyperlink directly to files on the Peer-to-Peer network. Ares Galaxy currently supports over 300,000 users and is a popular network for music files. The Ares Galaxy Network includes the following clients: Client Operating System Ares Galaxy Windows platform (no adware or Spyware) Ares Lite A smaller version for Windows clients like Windows 98 Warez Windows platform (includes adware) Manolito Network The Manolito Network was started in Spain in June 2001, using a proprietary protocol called Manolito Peer to Peer (MP2P). The Manolito Network uses the Hybrid Architecture. Manolito clients contact an HTTP Gateway Server to update SuperNodes list. The MP2P protocol makes extensive use of UDP. The application conducts all communications over UDP, including peer contacts, searches, and file transfer negotiations. The application uses TCP only for the actual file transfer between peers.
  12. 12. The Manolito Network supports only the transfer of music downloads, not allowing the distribution of videos or warez. The network currently supports 300,000 users and is popular for both rare and popular music selections. The Manolito Network includes the following clients: Client Operating System Blubster Windows platform (includes adware) Piolet Windows platform (includes adware) Warez Windows platform (includes adware and Spyware) DirectConnect Network The DirectConnect Network, by NeoModus, is different from most current Peer-to-Peer networks. The DirectConnect Network uses a Centralized Architecture and functions similar to the original OpenNap application. As with OpenNap, NeoModus creates the client and server (hub) software and provides it freely to users. The network architecture includes numerous centralized networks with the hub as the centralized server. NeoModus (and others) maintains a list of public DirectConnect network hubs on a Web list. The DirectConnect community owns and operates the hubs. The DirectConnect subnetworks are community oriented. Typically, each subnetwork specializes in a specific type of content, such as popular movies like “Lord of the Rings”, recently released movies, games, and CD Images. Most hubs require a user to share a minimum of two to three gigabytes of files before acceptance into a community. Many hubs are private and only accessible once mutual trust is established. The DirectConnect subnetworks also offer a hub “operator” functionality, which provides control access of the subnetwork. Operators can also ban users who abuse the community. The DirectConnect Network and clients are archaic when compared to recent Peer-to-Peer clients. Recently DirectConnect clients have begun using hashing (Tree Hash Exchange THEX), ensuring that each subnetwork peer can determine identical files. The DirectConnect protocol does not support multiple downloads or swarming. The use of multiple subnetworks within the overall community mitigates scaling issues in the network. Despite the lack of advanced technology, the popularity of DirectConnect Networks has risen steadily. The NeoModus Web site claims the DirectConnect Network includes over 300,000 users with over 10 Petabytes (10,000 Terabytes or 10 Million Gigabytes) of shared files. The Web site further claims this amount is three times the amount of data on the FastTrack Network. Given the large entry requirements for new users and the fact that many DirectConnect Networks are sharing full-length movies, the claim may be plausible. The DirectConnect Network includes the following clients: Client Operating System DirectConnect Official version from NeoModus. Windows and Mac OS X platform DC++ Open Source version. Windows platform BCDC++ Open Source version. Windows platform SoulSeek Network The SoulSeek Network, by Nir Arbel, is similar to DirectConnect and uses a Centralized Architecture architecture. However, the lone, central server is owned and maintained by SoulSeek. The central focus of the SoulSeek network is the community. In order to maintain control of the community, the network uses a centralized server. The SoulSeek Network specializes in techno, dance, and electronic music. For this reason, the network has not come under RIAA investigation. The SoulSeek client is written in Python with various clients have been ported to Windows, Mac OS X, and Linux. The SoulSeek client is adware and spyware free.
  13. 13. Twister Network The heading “Twister Network” is somewhat of a misnomer. Twister is not a Peer-to-Peer network, but functions as a search engine for locating MP3 and other music files on the Internet. The Twister software sends search requests to Twister search engines on the Internet. The applications access the Twister Web site to update a list of supported search engine IP addresses. When a user enters a query, the Twister search engines return a list of available music files. When users select files, Twister verifies each file in the list and downloads selected files using a normal HTTP protocol GET request. The Twister software uses external applications (such as Windows Media Player, Winamp) for playback of the music files. Twister only supports the Windows platform. EarthStation5 Network The EarthStation5 Network uses a centralized architecture that is reportedly based in the West Bank and Gaza City. EarthStation5 has publicly taunted the RIAA and MPAA to sue the company based on their argument that company activities are legal under Palestine law. The EarthStation5 Web site provides links to recently released full-length movies, mp3s, games, and more. The EarthStation5 Network provides several features to hide user activities, including the following: The ability to send connection requests through intermediary proxy servers, which hide the IP address of downloading systems The ability to transfer the files using the SSL protocol for full encryption of the payload The ability to encrypt search requests to hide what content a particular user is searching to obtain EarthStation5 only supports the Windows platform. Impact of Peer-to-Peer Applications Peer-to-Peer applications provide extensive networks for sharing files. These networks provide an impressive amount of popular music, movies, videos, games, books, and applications for quick downloading. For the Internet community, the opportunity allows them to share files with anyone, anywhere, at anytime. However, worldwide availability for downloading files affects network security and performance. Peer-to- Peer traffic can consume vast amounts of bandwidth, which multiplies with installed Spyware and adware running in the background. The open-atmosphere of sharing copyrighted material also presents legal issues for copyright infringement and illegal distribution. The following sections detail these issues networks face when managing P2P traffic: Legal liabilities Resource constraints Security issues Legal Liabilities The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) have issued a guide, titled "A Corporate Policy Guide to Copyright Use and Security on the Internet," which requests companies take steps to ensure that computer equipment and Internet systems are not utilized for film and music piracy.8 The organizations sent the guide to the Fortune 1000 Enterprises in America and the top European Enterprises.
  14. 14. Many companies, universities, and organizations have received threatening letters from the RIAA to stop the hosting of copyrighted material on their networks. These are not idle threats as the RIAA has won a $1 million settlement against Integrated Information Systems in Arizona for knowingly allowing employees to trade copyrighted materials over a dedicated server.9 Once the companies have received notice that illegal file sharing is occurring on their networks, they are obligated to take some form of action in stopping the activity. Resource Constraints The popular, widespread use of Peer-to-Peer applications has significantly affected Network Infrastructures. Recent studies suggest that Peer-to-Peer traffic consumes up to 60% of a service provider’s network. Similar percentages apply for Enterprise and University networks. The impact has been especially difficult on Service Provider networks where the network is asymmetric, such as Broadband Service Providers using cable modem technology and many Digital Subscriber Loop (DSL) networks. An asymmetric network works especially well for Web surfing and HTTP based client/server applications. In this architecture, the downstream throughput is significantly higher than the upstream throughput (the network handles small sized requests and receives larger responses). For example, requests (small byte size) made by a home computer user surfing the Web with an HTTP client travels quickly the upstream channel to an HTTP server. The response from the HTTP server delivers the requested Web page to the client over the downstream channel. Unlike the request, the Webpage includes images and dynamic code, which has a significantly larger byte size. The Peer-to-Peer architecture perform well on asymmetric networks. In a Peer-to-Peer network, a peer acts as both a client (making small requests) and a server (serving up large amounts of data). The Broadband Service Providers have seen an explosion of “servers” on their network. In addition, these “servers” are serving music and video files rather than Web pages. The same effect is occurring in internal enterprise and university networks. Typically, network administrators install servers on specific subnets within networks. IT staff closely monitors the activity and bandwidth to those servers to insure adequate performance. This situation is the standard case for mission critical applications and servers within the network. The same explosion of “servers” is also occurring in internal enterprises and university networks. Traffic from mission critical servers competes with Peer-to-Peer system traffic for the overall network bandwidth. In many networks, the sheer volume of Peer-to-Peer traffic overwhelms normal business traffic, resulting in slower performance for the applications. In addition to network resources, Peer-to-Peer applications also affect storage resources. Depending on the type of shared files (such as mp3 music files or MPEG movie files), an average user can easily share one or more gigabytes. Multiply the number of users by 300-400 and suddenly the system must handle almost a terabyte of data. Many organizations have difficulty obtaining and monitoring this amount of storage. Security Issues The installation of Peer-to-Peer applications to an Enterprise network introduces several security issues including the following: Security Vulnerabilities Access to Confidential Information Malicious Software Spyware Bundles Peer-to-Peer applications are susceptible to poor programming techniques as with any other software; these applications include security vulnerabilities that can be exploited by attackers. Some Peer-to-Peer applications, including KaZaA and eDonkey, contain buffer overflow vulnerabilities, which can allow an
  15. 15. attacker to compromise the user’s system. Due to the ubiquity of the KaZaA application, numerous hackers target the application with malicious attacks much the same way they target Microsoft’s Internet Explorer. A novice user can easily misconfigure a Peer-to-Peer application to share all the files on a system or network. These files may contain highly confidential financial, technical files, or personnel information of company employees. Once the files are part of the shared folder, they are accessible to everyone on the Peer-to-Peer network, which can number in the millions. For example, numerous examples of Quicken data files appear on the FastTrack network. The Peer-to-Peer networks are especially susceptible to malicious software like Viruses, Trojans, Worms, Backdoors, and fake files. The Peer-to-Peer networks have also been accessed to distribute exploits. Typically, the malicious software poses as a popular file for downloading. Once downloaded, the virus replicates itself as other popular files on the victims shared folder. Fake files have also become a problem on the FastTrack network (due to the lack of the whole file being hashed). In some cases, the RIAA and large Record Labels have begun distributing fake music files, which contain an audio message admonishing the user for attempting to download copyrighted material. The majority of the Peer-to-Peer applications distribute freely without fees for usage or purchase; however, these applications typically install spyware or adware as a means to generate revenue. These malicious applications track a user’s Internet activity, reporting the data to a central server for processing. Some Peer-to-Peer applications also separate software into installable applications and plug-ins, each including another set of spyware and adware. However, a number of companies have set P2P applications not to open and function if users do not install the spyware/adware (such as KaZaA, iMesh, Grokster). Managing Peer-to-Peer Traffic Peer-to-Peer traffic can overwhelm and render a network unusable, consuming bandwidth that blocks legitimate traffic from connecting to a server. TippingPoint provides best-of-breed technology to manage Peer-to-Peer traffic using the following: TippingPoint IPS Hardware and Software Traffic Detection and Management Digital Vaccine Service TippingPoint Hardware and Software The TippingPoint IPS is the industry's leading Intrusion Prevention System (IPS), unrivaled in security, performance, High Availability, and ease-of-use. Only TippingPoint has taken a revolutionary architectural approach with purpose-built hardware to detect and manage Peer-to-Peer traffic at multi-gigabit speeds with extremely low latency. Traditional software and appliance solutions that operate on general-purpose hardware and processors are unable to perform without degrading network performance. TippingPoint’s IPS solution provides statistical, protocol, and application anomaly protection to protect against traffic surges, buffer overflows, attacks, and vulnerabilities. The IPS delivers traffic normalization to eliminate malformed or illegal packets, and performs TCP reassembly and IP defragmentation, increasing network bandwidth and protecting against evasion techniques. TippingPoint also operates as an access control firewall, replacing CPU intensive router and switch access control lists. Additionally, by rate limiting or blocking unwanted traffic, the IPS conserves bandwidth and server capacity to provide complete application protection. Threat Suppression Engine The TippingPoint IPS ASIC-based Threat Suppression Engine (TSE) is the underlying technology that has revolutionized network protection. Through a combination of pipelined and massively parallel processing hardware, the TSE is able to perform thousands of checks on each packet flow simultaneously. The TSE architecture utilizes custom ASICs, a 20 Gbps backplane and high performance
  16. 16. network processors to perform total packet flow inspection at Layers 2-7. Parallel processing ensures that packet flows continue to move through the IPS with a latency of less than 150 microseconds, independent of the number of filters that are applied. If any of the filters identifies the packet and its associated flow as negative (malicious traffic or designated P2P traffic), the system drops or rate shapes it along with any subsequent packets belonging to the same flow. TSE hardware acceleration is a competitive advantage, and is critical for IPS functionality. Traditional software and appliance solutions must check filters serially, consequently sacrificing performance and greatly increasing latency as more filters are activated. Figure 5: TippingPoint IPS Threat Suppression Engine When classifying traffic, the Threat Suppression Engine assembles a flow payload, and parses it into meaningful fields for contextual analysis. For example, a buffer overflow attack may require that the engine identify the reference to a buffered parameter at the application layer and then evaluate its characteristics to detect an attack. To prevent the negative traffic from reaching its target, the instant a flow is determined to be malicious the packet drops along with any future packets belonging to the offending flow. In order to detect malicious traffic targeted at system vulnerabilities, a variety of detection filters are required. Some attacks are detected with specific signatures or pattern matching filters (known exploits with distinct bit patterns). Other attacks require more sophisticated filters that are expressed with rules that utilize protocol and application-level decoders (such as buffer overflows). Finally, multi-flow attacks require filters that gather statistics and expose anomalies over an aggregation of flows (such as network sweeps and packet flooding). Third Party Testing and Performance In January 2004, The NSS Group, the world’s foremost network and security testing organization, released the results of the first comprehensive security and performance test for Intrusion Prevention Systems. Participating in the testing were products from ISS, Netscreen, Network Associates, TippingPoint, and TopLayer. Over the past six-year history of NSS testing, NSS has awarded only three NSS Gold Awards to any products. After the rounds of IPS testing, only TippingPoint was bestowed the honor of the NSS Gold Award. This was the first NSS Gold award for an Intrusion Prevention System.
  17. 17. The suite of over 750 individual tests is by far the most comprehensive in the industry. Each product was evaluated for performance characteristics, security accuracy and usability. The complete test results are available for download at In the performance category, the TippingPoint IPS uniquely demonstrated switch-like latency and gigabit throughput under all test conditions. In some latency tests, the IPS outperformed the competition by an order of magnitude. Furthermore, in the Test UnityOne Results application latency tests, TippingPoint was the Attack Recognition 100% only vendor that did not impact response times Resistance to False Positives 100% under any load conditions. Evasion Baselines 100% Packet Fragmentation and Stream Segmentation 100% With regard to security accuracy, the IPS was URL Obfuscation 100% flawless and resilient to all forms of evasion. Miscellaneous Evasion Techniques 100% Out-of-the box, the IPS attack blocking Stateless Attack Replays (Mid Flows) 100% accuracy was unmatched by any other Simultaneous Open Connections (Default settings) 100% product, never blocked legitimate traffic. Simultaneous Open Connections (After tuning) 100% UDP Traffic To Random Valid Ports 100% In the usability category, the TippingPoint HTTP “maximum stress” traffic with no transaction delays 100% Security Management System was considered HTTP “maximum stress” traffic with transaction delays 100% best of breed. In addition to an intuitive Protocol mix traffic 100% interface, the alert handling, analysis and “Real World” traffic 100% reporting were deemed flexible, powerful and Latency Exceptional (<116 us) User Response Times Exceptional (<1ms) easy to use. The policy editor was highlighted Stability and Reliability PASS as the best ever seen by NSS. Management Interface PASS Traffic Detection and Management The primary obstacle in managing Peer-to-Peer applications is the detection of Peer-to-Peer traffic. The Threat Suppression Engine of the TippingPoint IPS provides high performance network processors to perform total packet flow inspection at Layers 2-7. TippingPoint develops programmed signatures, called Filters, to detect and manage the network flows of Peer-to-Peer applications. For these filters, TippingPoint has focused on two areas of the Peer-to-Peer applications: Connections to SuperNodes / hubs (Logins, searches, etc) File Transfers As discussed in Peer-to-Peer Architectures, most current versions of Peer-to-Peer applications are utilizing an architecture that involves SuperNodes or Hubs. The peers typically create a persistent TCP connection to the SuperNode. This peer then performs logins, searches and other vital functions using the persistent connection. The ability to detect and manage the connection(s) from the peer to the SuperNode provides great control over the Peer-to-Peer network. And in turn, blocking the network traffic on this connection effectively disables the Peer-to-Peer application. The second focus area was the file transfers between peers. File transfers account for the majority of Peer-to-Peer traffic and are a major concern for Enterprises or University attempting to control piracy issues. File transfers generally breakdown into two types: GET and PUT (or SEND). A peer typically requests a file from another peer by issuing some form of GET request. In other situations, a PUT command issues to a peer to instruct the application to perform an out-bound connection to another peer and then transfer the file. In some cases, the GET/PUT command occurs over the persistent Peer-to- SuperNode connection, or the command occurs over the Peer-to-Peer connection. In the case where the request occurs on the Peer-to-Peer connection, the file transfer can be blocked or rate-limited. In the case where the request occurs on the Peer-to-SuperNode connection, the file transfer can only be blocked.
  18. 18. In the connection between a Peer-to-Peer or Peer-to-SuperNode, there are two sides to the conversation, involving a request and a response. In the detection of Peer-to-Peer traffic, are written for the request or for the response, depending upon which is easier to detect. The following are examples of how the TippingPoint solution detects early versions of Ares Galaxy Network traffic: The following is a packet trace of an initial packet between an Ares peer and an Ares SuperNode: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/02-10:47:24.860916 -> TCP TTL:128 TOS:0x0 ID:278 IpLen:20 DgmLen:46 DF ***AP*** Seq: 0xA125399B Ack: 0xD2CE152B Win: 0x4470 TcpLen: 20 03 00 5A 04 03 05 ..Z... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The first two bytes represent the length of data following the next byte, which is an opcode. These six bytes are always sent as the first command in a connection to the SuperNodes. A filter to detect this request instructs the Threat Suppression Engine to perform deep inspection to determines the characteristics match as Ares login traffic. If the content matches, the traffic is tagged and handled according to the assigned actions, such as block. The following example is the packet trace of an Ares file transfer request to a peer: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/03-15:23:25.743583 -> TCP TTL:128 TOS:0x0 ID:37365 IpLen:20 DgmLen:242 DF ***AP*** Seq: 0x5B4F6C02 Ack: 0x320518DA Win: 0x43D4 TcpLen: 20 47 45 54 20 73 68 61 31 3A 6F 77 42 75 55 6D 67 GET sha1:owBuUmg 41 4A 49 79 50 71 6E 79 4E 58 76 38 31 49 70 51 AJIyPqnyNXv81IpQ 43 64 67 63 3D 20 68 74 74 70 2F 31 2E 31 0D 0A Cdgc= http/1.1.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 41 72 65 73 User-Agent: Ares 20 31 2E 38 2E 31 2E 32 39 34 30 0D 0A 58 2D 4D 79 2D 4E 69 63 6B 3A 20 0D 0A 58 2D 42 36 4D 49 y-Nick: ..X-B6MI 3A 20 70 68 35 6B 68 65 33 74 68 43 43 49 63 6D : ph5khe3thCCIcm 57 37 0D 0A 58 2D 4D 79 4C 49 50 3A 20 31 38 39 W7..X-MyLIP: 189 39 41 34 38 33 0D 0A 58 2D 42 36 53 74 3A 20 73 9A483..X-B6St: s 7A 53 42 32 48 36 75 58 5A 64 41 6B 6D 4F 4C 62 zSB2H6uXZdAkmOLb 76 39 6B 72 77 69 31 78 44 50 73 45 77 3D 3D 0D v9krwi1xDPsEw==. 0A 52 61 6E 67 65 3A 20 62 79 74 65 73 3D 30 2D .Range: bytes=0- 32 36 32 31 34 33 0D 0A 0D 0A 262143.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ As detailed in the packet trace, the GET request specifies the file to be retrieved by the hash ID of the file. As detailed in Ares Galaxy Network, Ares uses the Secure Hash Algorithm 1 (sha1) to represent each file. The SHA1 ID in the above request has the following characteristics: The SHA1 hash is 120 bits and is then encoded into base-64 In base-64, 24 bit groups (3 bytes) are divided into four 6 bit groups Each 6 bit group is used as an index into an array of 64 characters The 64 characters are [a-zA-Z0-9+/] Since the last 3 byte group is only two bytes (20 mod 3 = 2), the encoding is always padded with a single ”=” Based on these characteristics, a filter to detect this request would instruct the Threat Suppression Engine to deeply analyze each packet using an HTTP decoder and to search for an HTTP GET method
  19. 19. request. A GET request will begin with a GET string and end with a HTTP/1.[01]n string. The string between the GET and the HTTP is referred to as a Uniform Resource Identifier (URI). Secondly, the filter instructs the HTTP decoder to search within the GET request for a URI that includes a SHA1 Hash ID’. The decoder would use a Regular Expression engine to test for an SHA1 Hash ID with the detailed characteristics. Lastly, the filter instructs the decoder to perform a regular expression match for the User Agent specification. Any packet that matches all of the above these characteristics is tagged as Ares file transfer traffic and is handled according to the assigned actions, such as block. Detecting Evasion Techniques Early versions of the Peer-to-Peer applications were easy to detect and manage; however, as the network administrators and various interest groups like the RIAA learned to monitor or block the Peer-to- Peer applications, the software has evolved. There are 4 main techniques used by the Peer-to-Peer applications to avoid detection: Dynamic Ports Firewall/NAT Evasion Proxy Servers Encryption The first Peer-to-Peer applications used statically defined ports for most or all communications. For example, versions of KaZaA, before version 2.02, used port 1214 for both UDP and TCP communications. It was a simple task for network administrators to block the KaZaA applications by configuring the firewall to deny access to UDP and TCP ports 1214. The Peer-to-Peer developers responded by changing the software to utilize user-defined or dynamic ports. Some Peer-to-Peer applications allowed the user to specify port 80 as the default port, which the firewall normally allowed. Other applications would randomly chose a default port at installation time. This, of course, required changes to the protocol as well, sending port numbers w with IP addresses. By utilizing dynamic ports, Firewalls that only inspected layers 2 and 3 of the network protocol were no longer useful for blocking Peer-to-Peer traffic. For in-depth detection of Peer-to-Peer and malicious traffic, the TippingPoint IPS inspects layers 2-7, controlling traffic using dynamic ports. Firewalls had also caused a problem for file transfers between the peers. If one of the peers ran behind a firewall or NAT device, the external peer could not form a TCP connection to the internal peer. The Peer- to-Peer applications then evolved and began using commands from the SuperNode to instruct the internal peer to connect out to the external peer. Due to TippingPoint’s ability to perform full packet inspections, filters were developed which could detect the file transfers in either direction. As a means to hide the IP address of the Peer-to-Peer user, some Peer-to-Peer applications support the use of Proxy Servers. The Peer-to-Peer system performs a connection to a Proxy Server, which then forwards the requests to other systems. The use of Proxy Servers is also used to tunnel the traffic through a firewall by redirecting the traffic through port 80. For example, EarthStation5 can spread a connection among multiple Proxy Servers. Proxy Servers and Tunneling have no impact on the detection capabilities of the TippingPoint solution as specific filters have been developed to catch this traffic. Peer-to-Peer applications also use various forms of encryption to hide the actions of the users. These range from simple algorithms like XOR used by WinMX to complex algorithms like SSL used by EarthStation5. Due to the inspection and decoding capabilities of the Threat Suppression Engine, filters can detect the encrypted traffic of Peer-to-Peer networks. While not an evasion technique, a new challenge has developed recently in the detection of Peer-to-Peer traffic. Several Peer-to-Peer applications, such as MLDonkey and the latest version of Morpheus, have added support for multiple networks. For example, MLDonkey also connects to BitTorrent, Gnutella,
  20. 20. Gnutella2, FastTrack, Soulseek, Direct-Connect, and OpenNap while Morpheus can connect to Gnutella2, FastTrack and eDonkey2000. Due to different programming languages or lack of knowledge regarding the proprietary protocol, the commands sent over the network are slightly different from the original clients. Despite the differences in format, by modifying filters the TippingPoint IPS can detect the new client for the Peer-to-Peer network. Actions for Peer-to-Peer Traffic When the system detects Peer-to-Peer traffic, the triggered filter(s) enacts an assigned Action Set. This action set determines the response of the system against the traffic. The TippingPoint IPS provides two primary actions for managing Peer-to-Peer Traffic: Blocking Rate-limiting For many customers, preventing the use of Peer-to-Peer applications within the network is the answer. This method offers the most legal and security protection while freeing up the most bandwidth. The IPS provides a category of filters titled Misuse & Abuse, which includes all Peer-to-Peer filters. This category can be enabled and the Action Set configured as Block to prevent the operation of all Peer-to-Peer applications. If a finer granularity of control is desired, individual filters within the Misuse and Abuse category can be enabled/disabled to prevent/permit individual Peer-to-Peer Networks. For example, an administrator may want to allow a company sponsored internal Peer-to-Peer network to operate for internal distribution of company data. In this case, an administrator would disable the filters for the company sponsored Peer-to- Peer Network. For some organizations and companies, such as Universities, blocking all Peer-to-Peer applications is not an acceptable approach. The IPS provides the ability to block Peer-to-Peer applications uni-directionally as opposed to the default bi-directional mode. This allows the University network to permit the students to download files onto the network and transmit them to each other while blocking attempts to upload files From the University network. To configure uni-directional support, an administrator enables the desired Peer-to-Peer filters and creates exceptions for IP address ranges of allowed systems. If blocking the use of Peer-to-Peer applications is not an acceptable alternative for an organization, the TippingPoint IPS also offers the ability to Rate-Limit the Peer-to-Peer traffic. This feature allows the network administrator to cap the amount of network bandwidth utilized by Peer-to-Peer applications. Typically, the administrator creates a single Rate-Limit (e.g. P2P-20 Mb) and assigns this Rate-Limit as the Action Set for the Misuse and Abuse category. This will assign all Peer-to-Peer traffic detected by the TippingPoint IPS to a traffic pipe with a maximum bandwidth configured by the administrator. The IPS is also able to provide fine-grain rate shaping and blocking of Peer-to-Peer traffic. Rate-limiting can be applied independently to filters. The IPS supports 100 rate-limit action sets with ranges from Kbps to Mbps depending on the IPS model, giving network administrators the power to create rate-limits according to Peer-to-Peer application and technique. Using rate-limits, network administrators can fine-tune bandwidth protection: One Packet or Flow Matching Multiple Rate-limiters — A single packet can match two rate- limiters. A single flow can also match two rate-limiters (such as different packets in the flow match different filters). In either case, the engine allocates the packet (and the flow) to use the slower of the two rate-limiters. Multiple Filters Using The Same Rate-limiters — When two or more filters use the same rate- limit action set, then all packets matching these filters share the rate-limit bandwidth amount. For example, if filters A and B use the same 10Mbps rate-limit action set, then those filters share the 10Mbps pipe as opposed to each filter receiving individual 10Mbps pipes.
  21. 21. The TippingPoint IPS can also provide uni-directional and bi-directional rate limiting of Peer-to-Peer applications. By utilizing the device’s Peer-to-Peer capabilities, an organization can: Rate shape Peer-to-Peer traffic originating from outside of the core network to a lower bandwidth than traffic originating from within the network, thereby encouraging Peer-to-Peer clients to download from within the network and saving peering costs. Rate shape Peer-to-Peer traffic exiting the core network to the internet to a lower bandwidth, thereby discouraging Peer-to-Peer clients outside of the network from downloading from clients within the network and saving peering costs. The IPS can prevent the monitored traffic from exceeding or consuming more than a preset amount of network bandwidth. This powerful capability controls excessive bandwidth consumption of non-mission critical applications and ensures bandwidth availability for mission critical traffic. Digital Vaccine Service Peer-to-Peer technology and applications are continually evolving with more features and capabilities. As the RIAA and MPAA continue to wage their battle against the piracy of copyrighted material, the Peer-to-Peer applications continue to make their networks stealthier. In order to provide continued management of Peer-to-Peer traffic, the TippingPoint IPS must evolve as well. This is accomplished through the Digital Vaccine Service. The security professionals at TippingPoint are constantly upgrading existing and developing new filters to detect and manage the Peer-to-Peer traffic. The changes to the filters are distributed in a package called Digital Vaccine. Digital Vaccines are delivered to customers every week and can be deployed automatically with no user interaction required. New filters are continuously fed to the IPS to keep it up-to-date against the latest Peer-to-Peer applications. Advantages of Managing Peer-to-Peer Traffic In the sections below, we will show how TippingPoint can be utilized to solve the Legal Liabilities evolving around the Peer- to-Peer applications and the resource constraints imposed on the Enterprise, University and Broadband Service Provider. We will also examine the Return on Investment seen by customers who have deployed the TippingPoint IPS for managing Figure 6: Digital Vaccine Peer-to-Peer traffic. Legal Protection The possibility of legal action regarding the piracy of copyrighted material is very real for many Universities and Enterprises. One of TippingPoint’s customers, the University of Dayton, estimates that they received a dozen letters per month threatening legal action for piracy. After implementing the TippingPoint’s Peer-to-Peer Piracy Prevention feature at the University of Dayton, the log reports detailed the system blocked over one million shared files each month from leaving the university network. Using the extensive reporting capabilities of the IPS, network administrators can receive and review detailed evidence detailing the actions taken to prevent piracy.
  22. 22. Resource Conservation Peer-to-Peer traffic often has a negative impact on many networks. Peer-to-Peer traffic can consume up to 60% of a service provider’s network, similar percentages apply for Enterprise and University networks. The ability of the TippingPoint IPS to rate limit Peer-to-Peer traffic is a major and immediate cost saving feature for TippingPoint customers. Additional bandwidth is an expensive commodity to add to the Network. For internal networks, it requires dividing the network into additional subnets or an upgrade to higher bandwidth technologies. Both approaches require large capital equipment expenditures to achieve. For access to external networks, this requires the purchase of additional bandwidth from service providers. For Broadband Service Providers using asymmetric networks, the ability to rate-limit Peer-to- Peer traffic on the upstream channel can provide immense benefits in customer satisfaction and capital equipment savings. The following figure details a real world example from a TippingPoint customer that began using rate- limiting on the Peer-to-Peer traffic in their network. Notice once the P2P rate limiting begins, mission critical traffic flow increases. It is easiest to see with the blue HTTP traffic. This details the effect non- mission critical traffic has on a constrained bandwidth network, and the positive effect of managing that traffic with the IPS. Rate limiting the illegitimate traffic clears the pipe for the transmission of mission critical traffic. Figure 7: This graph details an eight-day period. Each peak represents the peak traffic during that day. All of the red data represents P2P traffic, which is rate-limited to 45Mbps on day three. The data in blue and green represents mission critical traffic: Oracle, E-mail, and HTTP. It is not rate limited receiving the full bandwidth advantage of the pipe. In another customer example, the University of Dayton installed the TippingPoint IPS. Administrators chose to allow students to retrieve shared files outside the university network, but blocked people outside the university network from retrieving shared files located within the university. After implementing the TippingPoint IPS, reports detailed the system blocked over one million shared files per month, augmenting the organization’s bandwidth availability. Results from the University of Dayton showed that
  23. 23. the peak rate of bandwidth consumption without blocking P2P traffic or using bandwidth management tools was approximately 30 Mbps. After blocking P2P traffic uni-directionally with the IPS, bandwidth consumption dropped to a low of 17 Mbps within the first 30 minutes, giving a 43% increase in bandwidth availability. Return On Investment The ability of the TippingPoint IPS to rate limit Peer-to-Peer traffic is a major cost saving feature and provides a substantial factor in calculating the Return On Investment (ROI) for purchasing the device. Broadband Service Providers have discovered that TippingPoint is unique in its ability to provide network security and management of Peer-to-Peer applications over a heavily loaded gigabit network. Cable MSOs are deploying the IPS today for security and bandwidth management, and they are experiencing significant Return on Investment. For every $100,000 invested in TippingPoint, Cable MSOs are seeing a $1M to $2M return in the first 12 months, which is typically split between security-related benefits and bandwidth management-related benefits. 75% of the immediate ROI typically results from the benefits of blocking malicious traffic including: Reduced customer support expense Reclaimed network infrastructure capacity Reduced network operation expense, especially during times of attack The other 25% of the ROI typically results from the savings related to rate limiting upstream peer-to-peer traffic: Reduced bandwidth expense Reclaimed network infrastructure capacity Conclusion A high-performance intrusion prevention system can provide network security and management of Peer- to-Peer applications, protecting vulnerable computers from compromise and conserving valuable network resources. The same ability to identify and block malicious traffic in transit, can also be used to identify and block or rate limit Peer-to-Peer traffic. In order for an IPS to provide network security and management of Peer-to-Peer applications in today’s networks, the device must perform well on multiple fronts simultaneously. Specifically, the IPS must implement high precision filters, handle a heavily-loaded gigabit network with a full filter set enabled (no dropped packets), and with low packet latency. To date, TippingPoint’s IPS is the only IPS shown to be capable of meeting these fundamental requirements.10 1 The Growing Use of Peer-to-Peer File Sharing networks 2 Napster Ordered to Shut Down 3 Gnutella RFC Documentation 4 eDonkey pulls ahead in European P2P race
  24. 24. 5 Incentives Build Robustness in BitTorrent (by Bram Cohen author of BitTorrent) 6 'BitTorrent' Gives Hollywood a Headache 7 Sneaky Sharing,aid,117637,00.asp 8 RIAA, MPAA Provide Copyright Use and Security Guide To Fortune 1000 Companies 9 Labels settle at-work song-share dispute 10 NSS Group IPS Test Results, published January 2004 TippingPoint Press Release, January 2004