Managing Peer-to-Peer Traffic In Network Environments
Managing Peer-to-Peer Traffic
In Network Environments
In a relatively short amount of time, the “killer app” of the Internet has evolved from E-mail to Web
browsers to Peer-to-Peer. The ability to digitize music and video, combined with the ability to easily obtain
these digital files freely, has transformed Peer-to-Peer applications into the most popularly downloaded
software on the Internet. Kazaa Media Desktop, one of the most popular Peer-to-Peer applications,
claims an install base of over 60 Million. Reports from Kazaa show users have downloaded the
application more than 200 Million times. Logging into the Kazaa network (FastTrack) on a typical day
displays a network of 4 to 5 millions users, sharing thousands of Petabytes of data (one Petabyte equals
1,000 Terabytes).1 This amount of transferred data can completely choke a network, consuming all
available bandwidth. Recent studies suggest that Peer-to-Peer traffic can consume up to 60% of a
service provider’s network.
Peer-to-Peer (P2P) applications impede network traffic of businesses, governments, education, and the
Internet infrastructure itself. These applications consume vast amounts of network resources, and prevent
mission critical applications from accessing the network. In addition, hackers seek to exploit P2P
applications to access and attack the large install base, presenting serious security vulnerabilities to
systems and networks. These applications also pose a serious legal issue as users download copyrighted
material, placing access providers in a difficult legal situation. As a result, these applications create a
logistic, security, and legal nightmare for network administrators on high-speed networks. To protect
networks from excessive bandwidth consumption and malicious attacks, Intrusion Prevention Systems
can be incorporated to control Peer-to-Peer applications and network traffic.
The TippingPoint Intrusion Prevention System (IPS) operates in-line in a network, blocking malicious
traffic, proactively protecting a network beyond passive detecting and alerting. The TippingPoint IPS
solution analyzes active connections and scans incoming and outgoing requests and traffic. If the system
detects a potential threat or traffic from an unwanted application (such as Kazaa and IM), the IPS blocks
the traffic entirely, sending alerts to the logs for reporting. Legitimate traffic passes unhindered through
the system at full network speed with microsecond latency; ensuring critical data is timely received.
With the addition of traffic management capabilities, an IPS system can identify and manage Peer-to-
Peer traffic in a network. The TippingPoint IPS includes a number of features and engine capabilities to
protect a network and manage traffic. At the core of the TippingPoint IPS is the custom-ASIC based
Threat Suppression Engine (TSE). The TSE provides features for managing this traffic, including IP
defragmentation, TCP flow reassembly, statistical analysis, traffic shaping, flow blocking, flow state
tracking, and application-layer parsing of over 170 network protocols.
Every Peer-to-Peer network uses one of three types of architectural formats. These formats may include
peers and servers. A peer can be a user’s computer, running a P2P client. These workstations enact
searches for files, provide files for upload and download, and send files to fulfill requests. A server
provides features for peers to enter available files, compiles lists of the available files, responds to
searches received from peers, and, depending on the architecture, aids in uploading and downloading
files through firewalls. Two of the architectures provide options for peers to become servers on the
The following sections provide in-depth information about the architectures used by these P2P
Centralized Architecture — Central server responds to peer requests
De-centralized Architecture — Multiple peers respond to requests from other peers on the
Hybrid Architecture — Multiple servers (SuperNodes) respond to requests by communicating with
servers on the network, compiling and sending responses through the primary server first queried
The Internet offers many Peer-to-Peer applications and plug-in options. The following list details the
popular Peer-to-Peer applications used throughout the world (listed by network):
FastTrack Network: KaZaA, Imesh, Grokster, Kazaa Lite K++
Gnutella Network: Ares Galaxy (old), BearShare, Gnucleus, NeoNapster, Limewire, Freewire,
Morpheus, Mutella, MyNapster, Phex, QtraxMax, Shareaza, Xolox
eDonkey2000 Network: eDonkey, Overnet, eMule, xMule, Mldonkey
BitTorrent Network and Application
WinMX Network and Application
Ares Galaxy Network: Ares Galaxy (new), Warez
Manolito Network: Blubster, Piolet, RockItNet
Direct Connect Network: Direct Connect, DC++
Soulseek Network and Application
Internet Web Sites Network: Twister
EarthStation 5 Network and Application
The centralized architecture is similar to the pervasive Client/Server model used in many applications
today, such as Web servers, application servers, and databases. In this architecture, the Peer-to-Peer
application executing on the peer systems establishes a persistent
connection to the central server. Users log into this central server to Peer Peer
access the network. The peer system transmits a directory listing of
all available items for sharing and downloading.
The Central Server maintains a database of all shared items. When
the server receives requests, it responds with a listing of available
matches and contact information of the host, such as an IP address
and port number. When a user selects an item to download, the
downloading peer contacts the hosting peer directly, transferring the
file peer-to-peer. In sophisticated networks, the Peer-to-Peer
application sends a unique identifier (such as a hash number) for
each shared item. The central server sends the Peer-to-Peer
application a list of peers hosting identical items. In this architecture, Login &
the Peer-to-Peer application establishes connections to multiple Search
peers and downloads sections of the file simultaneously, which the
P2P application reassembles.
Typically, the central server does not transfer the file between the Peer Peer
peers. However, some network architectures benefit from Figure 1: Centralized Architecture
incorporating a central server to handle downloads as well as
requests. At times, the downloading peer cannot establish a connection to the hosting peer because it
resides behind a corporate or personal firewall. In this situation, the central server sends a command to
the hosting peer to connect to the downloading peer. The downloading peer then contacts the hosting
peer directly through the assistance of the central server, transferring the file peer-to-peer. If both peers
are behind firewalls, the application cannot perform file transfers.
The centralized architecture provides excellent performance for search requests and is popular in smaller
networks where the community controls user access. However, the centralized architecture does not
scale adequately to large networks and suffers a severe weakness with the central server. Hackers and
malicious attacks can easily disable Peer-to-Peer Networks built on the centralized architecture by
attacking and disabling the central server. The first generation Napster network used the centralized
architecture (site was shut down in 2000 due to lawsuits2).
The de-centralized architecture uses a distributed computing model in which each peer is an equal within
the network. The de-centralized architecture does not contain a central server, which purist administrators
would consider a “true” Peer-to-Peer network. In this architecture, the P2P application executing on peer
systems establishes persistent connections to peers within the network.
The peer system sends search requests to each of the Login &
persistent connections on the network, broadcasting out Peer Search Peer
from the central connection. Matches to the search request
return to the requestor from each peer, detailing contact
information (such as IP address and port number) for hosting
When a user selects an item to download, the downloading
peer contacts the hosting peer directly. In response, the host
transfers the file between the two peers. As in the
Centralized Architecture, advanced Peer-to-Peer
applications can establish connections to multiple peers and
download sections of the file simultaneously from the
multiple hosts. When complete, the P2P application
reassembles the file.
The de-centralized architecture offers two primary
advantages over the centralized approach. First, this
architecture scales to large networks of peers. Secondly, File Transfer
malicious attackers cannot easily disable the de-centralized
approach due to the distributed control. The disadvantage to Figure 2: De-centralized Architecture
de-centralized networks is the significantly longer time
required to perform search operations. Network communities refer to the de-centralized architecture as
the “second generation” of Peer-to-Peer networks.
The hybrid architecture combines the centralized and de-centralized approaches into one architecture.
The hybrid architecture introduces the concept of a SuperNode (also known as an UltraPeer). The
SuperNode functions in a similar function to the central server of the Centralized Architecture. In this
architecture, SuperNodes are geographically dispersed to create a larger network. The Peer-to-Peer
application executing on the peer systems establishes a persistent connection to one or more
SuperNode(s) and transmits a directory listing of the items available for sharing on the peer system.
Peer Peer Peer Peer
Super Search Super
Login & Login &
Peer Peer Peer Peer
Peer Peer Peer Peer
Super Search Super
Login & Login &
File Transfer Network
Peer Peer Peer Peer
Figure 3: Hybrid Architecture
Each SuperNode maintains a database of shared items. The P2P application sends requests to the
SuperNodes, which forward to additional SuperNodes. The primary server compiles the responses and
sends the peer a list of matches and host contact information (such as IP address and port number).
When a user selects an item to download, the downloading peer contacts the hosting peer directly and
transfers the file between the two peers. As in the other architectures, advanced Peer-to-Peer
applications can establish connections to multiple peers and download sections of the file simultaneously
from the multiple hosts. The Peer-to-Peer application reassembles the sections into a complete file.
Typically, the SuperNode does not transfer the file between the peers. However, as with the Centralized
Architecture, the SuperNode aids connections and transfers when the hosting peer resides behind
corporate or personal firewalls. In this architecture, the SuperNode sends a command to the hosting peer
to connect to the downloading peer. The downloading peer contacts the hosting peer directly with the aid
of the SuperNode and transfers the file between the two peers.
Compared to central servers, SuperNodes are more dynamic. These servers are typically “promoted”
from a peer that has a fast CPU, high bandwidth access to the Internet, and capable of supporting 200-
300 simultaneous connections. SuperNodes maintain a list of available SuperNodes and transmit this list
on a regularly to all peers connected to the P2P network. Peer systems caches the information, loading
the updated link lists during startup.
Another option for Hybrid networks employs a network portal server into the architecture. The network
portal, typically owned and provided by the “owner” of the network, hosts Web services for the P2P
network. Services can include a home page with news, forums, chat, or instant messaging options and
typically functions as an advertisement server to deliver ads to the Peer-to-Peer clients, thereby
generating revenue for the owner of the network. The network server may also act as a registration server
for users to log into the network and distributes the initial SuperNode IP addresses to new Peer-to-Peer
The hybrid architecture offers the best of both the centralized and the de-centralized approaches. Like the
Centralized Architecture, the Hybrid provides excellent performance for search requests, even in a large
distributed network. The hybrid architecture scales to large networks of peers. As with the de-centralized
approach, the hybrid network cannot be easily disabled due to the distributed and dynamic nature of the
SuperNodes. Network communities refer to the hybrid architecture as the “third generation” of Peer-to-
Peer-to-Peer Network and Applications
Internet users can choose from a wide range of Peer-to-Peer services. Each application provides different
functions and options to download and transfer files, file host services, and search features. The following
sections detail some of these Peer-to-Peer applications:
FastTrack Network —Uses a hybrid network architecture employing a network portal and
supports P2P applications such as Kazaa and iMesh
Gnutella Network — Uses a de-centralized architecture and supports P2P applications such as
Morpheus and MyNapster
eDonkey2000 — Uses a hybrid network architecture and supports P2P applications such as
eDonkey/Overnet and eMule
BitTorrent — Uses a form of hybrid architecture and supports the BitTorrent P2P application
WinMX — Uses a hybrid architecture and supports the WinMX P2P application
Ares Galaxy — Uses a hybrid architecture and supports application such as Ares Galaxy and
Manolito — Uses a hybrid architecture and supports application such as Blubster and Piolet
DirectConnect — Uses a centralized architecture and supports application such as DirectConnect
Twister — Provides a search engine for locating music files on the Internet
EarthStation 5 — Uses a centralized architecture and supports the EarthStation 5 application
The FastTrack Network was created in 2001 by a Dutch company named KazaA BV. Sharman Networks
owns and controls the network. For more information on FastTrack’s history, visit
The FastTrack network uses a Hybrid Architecture, including peers, SuperNodes, and a network portal.
The FastTrack clients ship with a known set list of SuperNodes. Once the client initializes and connects to
the network, the P2P application receives an updated list of SuperNodes. Any peer system can be
promoted to SuperNode status.
The FastTrack network is popular due to large number of users with extensive music/video files,
performance of the search requests, and fast file transfer speeds. Another popular feature of the network
supports multiple, simultaneous downloads; however, the FastTrack network uses a problematic UUhash
algorithm. The UUhash algorithm calculates a hash value from parts of the file rather than using the entire
file. The algorithm scans the first 300,000 bytes of roughly every 2 Megabytes. This approach allows for
faster computation of the hash value but leaves significant parts of the file unprotected. Hackers have
exploited this vulnerability to spread corrupt, fake files on the network, much to the chagrin of users on
The FastTrack Network includes four clients:
Kazaa Media Desktop (aka KMD or Kazaa)
Kazaa Lite K++
Kazaa Media Desktop (KMD) is one of the most popular Peer-to-Peer applications and the most popular
FastTrack client. The application has been downloaded more than 200 Million times and claims an install
base of over 60 million users. Logging into the Kazaa network (aka FastTrack) on a typical day reveals a
network of 4 to 5 millions users sharing thousands of Terabytes of data. For more information about KMD,
see http://encyclopedia.thefreedictionary.com/KaZaA. KMD is freely available; however, the application
installs large amounts of spyware and adware to generate revenue for Sharman Networks. Sharman
Networks also provides a paid subscription service for the legal download of copyrighted materials.
iMesh, from an Israeli company by the same name, started as a centralized community. It later evolved to
the FastTrack network and supports over a million users. iMesh, like KMD, is available freely and
downloads with and installs Spyware and adware to generate revenue for iMesh. For more information
about iMesh, see Slyck's Guide to FastTrack (http://www.slyck.com/ft.php?page=4).
The Grokster client was developed from KaZaA BV licensed software, which makes it almost identical to
KMD. However, Grokster is notorious for bundling extensive spyware and adware applications with its
client. The application also modifies browser configurations when installed.
Kazaa Lite is a modified version of KMD. Programmers modified the KMD binary code to remove the
spyware and adware. For this reason, Kazaa Lite has been popular with users accustomed to the
FastTrack network. Sharman Networks has been fighting the availability of the modified software, causing
many Web sites to remove the Kazaa Lite client. Ironically, the application is widely available over the
Two programmers working for a subsidiary of AOL started the Gnutella Network in 2000. Eventually, the
code moved to open source and has proliferated over the Internet. With the application on open source,
one entity does not own or operate the network. For more information on Gnutella’s history, see
The original Gnutella Network began using the De-centralized Architecture as a means to avoid the legal
issues and ultimate shutdown, which occurred to Napster. In this network, a Gnutella peer locates other
nodes on the network using the following methods:
Gnutella software ships with a list of permanent nodes
The application queries to a GWebCache server
The application queries to other connected nodes for list of current nodes
The application monitors Gnutella messages for lists of nodes.
A GWebCache Server is a script program placed on any Web server, storing IP addresses of hosts in the
Gnutella network and URLs of other caches. A Gnutella client reads and writes the IP addresses of nodes
to the Web server using GWebCache Protocol (GWC). The Gnutella client maintains a persistent cache
of the IP addresses of known peers providing for efficient system startup.3
Eventually the Gnutella network encountered scaling issues with the de-centralized architecture and
introduced the concept of UltraPeers. UltraPeers are equivalent to SuperNodes in the Hybrid
Architecture. As with the FastTrack network, any peer meeting the performance requirements can be
promoted to an UltraPeer. Unlike FastTrack, the Gnutella Network does not use a portal server.
With the scalability issues solved by the UltraPeers, the popularity of the Gnutella soared. Due to its open
source roots, numerous clients are available that run on several platforms (including Windows, Linux, and
Mac OS). Open source developers also removed any Spyware and Adware that other P2P bundles may
The Gnutella network supports the following applications:
Application Operating System
BearShare Windows platform
Gnucleus Windows platform (C++)
NeoNapster Windows platform
Limewire Cross platform (Java)
Freewire Windows platform (Java)
Morpheus Windows platform. Also connects to Gnutella2 (a newer protocol for Guntella
networks), FastTrack and eDonkey2000.
Mutella Unix/Linux; offers a command line interface
MyNapster Windows platform
Phex Cross platform (Java)
QtraxMax Windows platform
Shareaza Windows platform, open source. Also connects to Gnutella2, eDonkey2000 and
Xolox Windows platform. Also connects to Gnutella2, FastTrack and eDonkey2000.
Of the listed clients, Morpheus has the longest and most interesting history. Morpheus began as a Web-
based client for the OpenNap network, which was shut down with Napster. MusicCity, which developed
Morhpeus, then licensed the FastTrack software from KaZaA BV and rewrote the client to connect to the
FastTrack network. Using the FastTrack network, Morpheus became a popular and heavily downloaded
application. In February 2002, KaZaA BV modified the FastTrack network to exclude Morpheus clients
due to a licensing/monetary dispute with MusicCity. After FastTrack restricted access, MusicCity (also
known as StreamCast) rewrote the Morpheus client to use the open source Gnutella software. Quickly,
Morpheus became a popular Gnutella client. Morpheus has since expanded to connect to Gnutella2,
eDonkey2000, and FastTrack networks.
The eDonkey2000 network (also known as Overnet) uses a Hybrid Architecture with clients (peers) and
servers (SuperNodes). The eDonkey2000 Client includes a known set of servers to contact. When the
client initializes and connects to one of the Severs, the application retrieves a current list of servers. On
the eDonkey2000 network, separate, specialized software is required to operate the servers.
eDonkey2000 servers are privately owned and maintained.
Like the FastTrack network, the eDonkey2000 network is highly popular due to the large number of users
with music/video files, performance of search requests, and fast file transfer speeds. eDonkey2000 was
one of the first networks to support multiple, simultaneous downloads. eDonkey2000 uses a hash to
uniquely identify files for simultaneous downloads, which is an industry standard algorithm MD4. Unlike
Uuhash, this algorithm hashes the entire file, preventing file corruption issues. eDonkey2000 separates
the file into 9 MB sections for efficient scanning. The performance of eDonkey2000 downloads has made
the software popular for downloading large files such as videos and warez (a computer slang term for
copyrighted material such as games or software).
eDonkey2000 also supports the ability to hyperlink (called ed2k-links) directly to files on the Peer-to-Peer
network. Users can e-mail or post the links on Web pages. When a user clicks on the ed2k-link, the
eDonkey2000 client initiates and downloads the file directly from the specified peer(s). Many Web sites
exist on the Web today that host numerous ed2k-links to music, videos and warez. The following is an
example of an ed2k link:
ed2k://|file|fileName|fileSize|fileHash|(optional params)|(optional params)|etc|
Due to the speed of the file downloads for larger files (i.e. videos) and the dissatisfaction with corrupted
files on the FastTrack network, the popularity of eDonkey2000 clients has raised sharply. While FastTrack
holds majority of usage in the United States, eDonkey has become the preferred P2P network in Europe.4
The eDonkey2000 Network includes primarily the following four clients:
Client Operating System
eDonkey / Windows, Mac OS X and Linux platforms
eMule Windows platform
xMule eMule version for Linux and BSD platforms
Mldonkey Windows, Mac OS X and Linux platforms. Also connects to BitTorrent,
Gnutella, Gnutella2, FastTrack, Soulseek, Direct-Connect, and OpenNap.
The BitTorrent Network uses a unique architecture. While some features map to the Hybrid Architecture,
BitTorrent closely resembles the eDonkey2000 network. The BitTorrent network includes peers and
trackers. The trackers are somewhat analogous to the server in an eDonkey2000 network; however, the
trackers manage downloads of the file blocks for downloading peers. The search capability is a separate
function from the BitTorrent network, typically performed through Web searching or link posting on Web
pages and in e-mails.
When a user wants to share a file over the BitTorrent network, they create a .torrent file. The torrent file
contains the file name, file size, hashes, and IP address of the tracker. The hashes are the industry
standard SHA1 hash of each block within the file, typically separated into 250 KB blocks. To distribute the
file, a complete copy of the file is uploaded on a “seed” node running the BitTorrent client. The seed node
communicates the availability of the file to the tracker specified in the torrent file.
When a user decides to download the file, they click on the torrent file. The BitTorrent client executes and
contacts the tracker specified in the torrent file, which maintains a list of available peers providing
download/upload of the file. The tracker sends updates of the list of peers transferring the file to each
peer involved in the transfer. The peer attempts to connect to each of the listed peers. After a connection
establishes, the two peers inform each other of the blocks of the file. Each peer randomly selects a block
to download from the other peers. As each peer downloads, the systems also upload from the blocks,
which it previously retrieved from other peers. The following figure details the simultaneous
upload/download action, or “swarm.”
Figure 4: Example of a BitTorrent Swarm
The selection of which block of data to download is important to the efficiency of the swarm process. If
every peer selected blocks sequentially, the same set of blocks would be available on all systems. By
randomly selecting blocks to retrieve from the seed node and from other peers, the file distributes widely
across all peers, which optimizes the transfer of each block. Requests for the blocks are sent in 16
Kilobyte chunks, and multiple requests are pipelined through the TCP stack to avoid delays.5 With the
functionality of the “swarm” and because all nodes involved are transferring a single file or collection of
files, the BitTorrent file transfers are extremely fast.
As with eDonkey, the file transfer performance of BitTorrent has made it highly popular with users
downloading videos and warez. In some networks, BitTorrent accounts for half of the Peer-to-Peer traffic.6
BitTorrent is also popular with entities that need to legally distribute large files. Web sites use BitTorrent
to distribute various Linux distributions.
BitTorrent is written in Python with various clients ported to Windows, Mac OS X, and Linux.
The WinMX software is one of the oldest Peer-to-Peer clients. WinMX began as a client for the Napster
and OpenNap networks; however, when the Naptser and OpenNap networks were shutdown by the RIAA
in 2000-2001, WinMX was re-written by Frontcode Technologies to form a new network using the WinMX
Peer Network Protocol (WPNP). The WinMX network uses a Hybrid Architecture with clients (peers) and
WPNP servers (SuperNodes). The WinMX client installs with a known set of WPNP servers to contact.
When the client initializes and connects to a WPNP server, the system retrieves and caches a current list
of WPNP servers. The WinMX client allows the user to manage the WPNP servers accessed by the
application. Any WinMX peer can become a WPNP server, which is configurable by the user.
Like the FastTrack network, the WinMX network is popular due to the number of users, the performance
of the search requests, and the fast file transfer speeds. WinMX supports multiple, simultaneous
downloads and hashes the entire file, which prevents file corruption issues. The WPNP protocol also
encodes the packets with an XOR (Exclusive OR binary operator) algorithm. The first byte is XOR
encrypted with the packet length or the last byte, which then XOR encrypts each subsequent byte with
the previous byte. The process repeats five times with the packet length used on the first pass and the
last byte used on the next four passes.
WinMX client software does not contain spyware and offers a large install base that is second only to the
FastTrack network. The WinMX network currently has approximately six million users.7 It is highly popular
in Japan based on the software’s double byte character support. Active development on the network and
protocol has slowed in the last couple of years; however, the network remains popular.
Ares Galaxy Network
Ares Galaxy began as a Gnutella client. It was rewritten in late 2002 to become the current Ares Galaxy
Network. The Ares Galaxy network uses a Hybrid Architecture with leafs (peers) and SuperNodes. The
Ares Galaxy clients ship with a set of SuperNodes to contact. Once the Client initializes and connects to a
SuperNodes, the application receives a current list of SuperNodes. Cache Servers maintain an active list
of SuperNodes which are stable SuperNodes having higher than the average uptime. As on the KaZaA
network, any leaf with a fast network connection, powerful CPU and enough RAM memory can elect to
become a SuperNode.
Ares Galaxy hashes the entire file, which prevents file corruption issues. The application hashes the
shared files at installation time using the industry standard Secure Hash Algorithm (SHA1). The search
methodology differs slightly than other hybrid architectures. Searching for a file requires two steps:
1. A keyword search that returns results containing file names, file details and hash values, but no
IP addresses (download sources)
2. A hash search that returns fresh download sources (IP addresses)
Similar to BitTorrent, Ares Galaxy supports swarming, the simultaneous downloads and uploads from one
to multiple peers. Ares Galaxy also supports the ability to hyperlink directly to files on the Peer-to-Peer
network. Ares Galaxy currently supports over 300,000 users and is a popular network for music files.
The Ares Galaxy Network includes the following clients:
Client Operating System
Ares Galaxy Windows platform (no adware or Spyware)
Ares Lite A smaller version for Windows clients like Windows 98
Warez Windows platform (includes adware)
The Manolito Network was started in Spain in June 2001, using a proprietary protocol called Manolito
Peer to Peer (MP2P). The Manolito Network uses the Hybrid Architecture. Manolito clients contact an
HTTP Gateway Server to update SuperNodes list.
The MP2P protocol makes extensive use of UDP. The application conducts all communications over
UDP, including peer contacts, searches, and file transfer negotiations. The application uses TCP only for
the actual file transfer between peers.
The Manolito Network supports only the transfer of music downloads, not allowing the distribution of
videos or warez. The network currently supports 300,000 users and is popular for both rare and popular
music selections. The Manolito Network includes the following clients:
Client Operating System
Blubster Windows platform (includes adware)
Piolet Windows platform (includes adware)
Warez Windows platform (includes adware and Spyware)
The DirectConnect Network, by NeoModus, is different from most current Peer-to-Peer networks. The
DirectConnect Network uses a Centralized Architecture and functions similar to the original OpenNap
application. As with OpenNap, NeoModus creates the client and server (hub) software and provides it
freely to users. The network architecture includes numerous centralized networks with the hub as the
centralized server. NeoModus (and others) maintains a list of public DirectConnect network hubs on a
Web list. The DirectConnect community owns and operates the hubs.
The DirectConnect subnetworks are community oriented. Typically, each subnetwork specializes in a
specific type of content, such as popular movies like “Lord of the Rings”, recently released movies,
games, and CD Images. Most hubs require a user to share a minimum of two to three gigabytes of files
before acceptance into a community. Many hubs are private and only accessible once mutual trust is
established. The DirectConnect subnetworks also offer a hub “operator” functionality, which provides
control access of the subnetwork. Operators can also ban users who abuse the community.
The DirectConnect Network and clients are archaic when compared to recent Peer-to-Peer clients.
Recently DirectConnect clients have begun using hashing (Tree Hash Exchange THEX), ensuring that
each subnetwork peer can determine identical files. The DirectConnect protocol does not support multiple
downloads or swarming. The use of multiple subnetworks within the overall community mitigates scaling
issues in the network.
Despite the lack of advanced technology, the popularity of DirectConnect Networks has risen steadily.
The NeoModus Web site claims the DirectConnect Network includes over 300,000 users with over 10
Petabytes (10,000 Terabytes or 10 Million Gigabytes) of shared files. The Web site further claims this
amount is three times the amount of data on the FastTrack Network. Given the large entry requirements
for new users and the fact that many DirectConnect Networks are sharing full-length movies, the claim
may be plausible.
The DirectConnect Network includes the following clients:
Client Operating System
DirectConnect Official version from NeoModus. Windows and Mac OS X platform
DC++ Open Source version. Windows platform
BCDC++ Open Source version. Windows platform
The SoulSeek Network, by Nir Arbel, is similar to DirectConnect and uses a Centralized Architecture
architecture. However, the lone, central server is owned and maintained by SoulSeek. The central focus
of the SoulSeek network is the community. In order to maintain control of the community, the network
uses a centralized server. The SoulSeek Network specializes in techno, dance, and electronic music. For
this reason, the network has not come under RIAA investigation.
The SoulSeek client is written in Python with various clients have been ported to Windows, Mac OS X,
and Linux. The SoulSeek client is adware and spyware free.
The heading “Twister Network” is somewhat of a misnomer. Twister is not a Peer-to-Peer network, but
functions as a search engine for locating MP3 and other music files on the Internet. The Twister software
sends search requests to Twister search engines on the Internet. The applications access the Twister
Web site to update a list of supported search engine IP addresses. When a user enters a query, the
Twister search engines return a list of available music files. When users select files, Twister verifies each
file in the list and downloads selected files using a normal HTTP protocol GET request. The Twister
software uses external applications (such as Windows Media Player, Winamp) for playback of the music
Twister only supports the Windows platform.
The EarthStation5 Network uses a centralized architecture that is reportedly based in the West Bank and
Gaza City. EarthStation5 has publicly taunted the RIAA and MPAA to sue the company based on their
argument that company activities are legal under Palestine law. The EarthStation5 Web site provides
links to recently released full-length movies, mp3s, games, and more.
The EarthStation5 Network provides several features to hide user activities, including the following:
The ability to send connection requests through intermediary proxy servers, which hide the IP
address of downloading systems
The ability to transfer the files using the SSL protocol for full encryption of the payload
The ability to encrypt search requests to hide what content a particular user is searching to obtain
EarthStation5 only supports the Windows platform.
Impact of Peer-to-Peer Applications
Peer-to-Peer applications provide extensive networks for sharing files. These networks provide an
impressive amount of popular music, movies, videos, games, books, and applications for quick
downloading. For the Internet community, the opportunity allows them to share files with anyone,
anywhere, at anytime.
However, worldwide availability for downloading files affects network security and performance. Peer-to-
Peer traffic can consume vast amounts of bandwidth, which multiplies with installed Spyware and adware
running in the background. The open-atmosphere of sharing copyrighted material also presents legal
issues for copyright infringement and illegal distribution.
The following sections detail these issues networks face when managing P2P traffic:
The Recording Industry Association of America (RIAA) and the Motion Picture Association of America
(MPAA) have issued a guide, titled "A Corporate Policy Guide to Copyright Use and Security on the
Internet," which requests companies take steps to ensure that computer equipment and Internet systems
are not utilized for film and music piracy.8 The organizations sent the guide to the Fortune 1000
Enterprises in America and the top European Enterprises.
Many companies, universities, and organizations have received threatening letters from the RIAA to stop
the hosting of copyrighted material on their networks. These are not idle threats as the RIAA has won a
$1 million settlement against Integrated Information Systems in Arizona for knowingly allowing employees
to trade copyrighted materials over a dedicated server.9 Once the companies have received notice that
illegal file sharing is occurring on their networks, they are obligated to take some form of action in
stopping the activity.
The popular, widespread use of Peer-to-Peer applications has significantly affected Network
Infrastructures. Recent studies suggest that Peer-to-Peer traffic consumes up to 60% of a service
provider’s network. Similar percentages apply for Enterprise and University networks.
The impact has been especially difficult on Service Provider networks where the network is asymmetric,
such as Broadband Service Providers using cable modem technology and many Digital Subscriber Loop
(DSL) networks. An asymmetric network works especially well for Web surfing and HTTP based
client/server applications. In this architecture, the downstream throughput is significantly higher than the
upstream throughput (the network handles small sized requests and receives larger responses). For
example, requests (small byte size) made by a home computer user surfing the Web with an HTTP client
travels quickly the upstream channel to an HTTP server. The response from the HTTP server delivers the
requested Web page to the client over the downstream channel. Unlike the request, the Webpage
includes images and dynamic code, which has a significantly larger byte size.
The Peer-to-Peer architecture perform well on asymmetric networks. In a Peer-to-Peer network, a peer
acts as both a client (making small requests) and a server (serving up large amounts of data). The
Broadband Service Providers have seen an explosion of “servers” on their network. In addition, these
“servers” are serving music and video files rather than Web pages.
The same effect is occurring in internal enterprise and university networks. Typically, network
administrators install servers on specific subnets within networks. IT staff closely monitors the activity and
bandwidth to those servers to insure adequate performance. This situation is the standard case for
mission critical applications and servers within the network. The same explosion of “servers” is also
occurring in internal enterprises and university networks. Traffic from mission critical servers competes
with Peer-to-Peer system traffic for the overall network bandwidth. In many networks, the sheer volume of
Peer-to-Peer traffic overwhelms normal business traffic, resulting in slower performance for the
In addition to network resources, Peer-to-Peer applications also affect storage resources. Depending on
the type of shared files (such as mp3 music files or MPEG movie files), an average user can easily share
one or more gigabytes. Multiply the number of users by 300-400 and suddenly the system must handle
almost a terabyte of data. Many organizations have difficulty obtaining and monitoring this amount of
The installation of Peer-to-Peer applications to an Enterprise network introduces several security issues
including the following:
Access to Confidential Information
Peer-to-Peer applications are susceptible to poor programming techniques as with any other software;
these applications include security vulnerabilities that can be exploited by attackers. Some Peer-to-Peer
applications, including KaZaA and eDonkey, contain buffer overflow vulnerabilities, which can allow an
attacker to compromise the user’s system. Due to the ubiquity of the KaZaA application, numerous
hackers target the application with malicious attacks much the same way they target Microsoft’s Internet
A novice user can easily misconfigure a Peer-to-Peer application to share all the files on a system or
network. These files may contain highly confidential financial, technical files, or personnel information of
company employees. Once the files are part of the shared folder, they are accessible to everyone on the
Peer-to-Peer network, which can number in the millions. For example, numerous examples of Quicken
data files appear on the FastTrack network.
The Peer-to-Peer networks are especially susceptible to malicious software like Viruses, Trojans, Worms,
Backdoors, and fake files. The Peer-to-Peer networks have also been accessed to distribute exploits.
Typically, the malicious software poses as a popular file for downloading. Once downloaded, the virus
replicates itself as other popular files on the victims shared folder. Fake files have also become a problem
on the FastTrack network (due to the lack of the whole file being hashed). In some cases, the RIAA and
large Record Labels have begun distributing fake music files, which contain an audio message
admonishing the user for attempting to download copyrighted material.
The majority of the Peer-to-Peer applications distribute freely without fees for usage or purchase;
however, these applications typically install spyware or adware as a means to generate revenue. These
malicious applications track a user’s Internet activity, reporting the data to a central server for processing.
Some Peer-to-Peer applications also separate software into installable applications and plug-ins, each
including another set of spyware and adware. However, a number of companies have set P2P
applications not to open and function if users do not install the spyware/adware (such as KaZaA, iMesh,
Managing Peer-to-Peer Traffic
Peer-to-Peer traffic can overwhelm and render a network unusable, consuming bandwidth that blocks
legitimate traffic from connecting to a server. TippingPoint provides best-of-breed technology to manage
Peer-to-Peer traffic using the following:
TippingPoint IPS Hardware and Software
Traffic Detection and Management
Digital Vaccine Service
TippingPoint Hardware and Software
The TippingPoint IPS is the industry's leading Intrusion Prevention System (IPS), unrivaled in security,
performance, High Availability, and ease-of-use. Only TippingPoint has taken a revolutionary architectural
approach with purpose-built hardware to detect and manage Peer-to-Peer traffic at multi-gigabit speeds
with extremely low latency. Traditional software and appliance solutions that operate on general-purpose
hardware and processors are unable to perform without degrading network performance. TippingPoint’s
IPS solution provides statistical, protocol, and application anomaly protection to protect against traffic
surges, buffer overflows, attacks, and vulnerabilities. The IPS delivers traffic normalization to eliminate
malformed or illegal packets, and performs TCP reassembly and IP defragmentation, increasing network
bandwidth and protecting against evasion techniques. TippingPoint also operates as an access control
firewall, replacing CPU intensive router and switch access control lists. Additionally, by rate limiting or
blocking unwanted traffic, the IPS conserves bandwidth and server capacity to provide complete
Threat Suppression Engine
The TippingPoint IPS ASIC-based Threat Suppression Engine (TSE) is the underlying technology that
has revolutionized network protection. Through a combination of pipelined and massively parallel
processing hardware, the TSE is able to perform thousands of checks on each packet flow
simultaneously. The TSE architecture utilizes custom ASICs, a 20 Gbps backplane and high performance
network processors to perform total packet flow inspection at Layers 2-7. Parallel processing ensures that
packet flows continue to move through the IPS with a latency of less than 150 microseconds,
independent of the number of filters that are applied.
If any of the filters identifies the packet and its associated flow as negative (malicious traffic or designated
P2P traffic), the system drops or rate shapes it along with any subsequent packets belonging to the same
flow. TSE hardware acceleration is a competitive advantage, and is critical for IPS functionality.
Traditional software and appliance solutions must check filters serially, consequently sacrificing
performance and greatly increasing latency as more filters are activated.
Figure 5: TippingPoint IPS Threat Suppression Engine
When classifying traffic, the Threat Suppression Engine assembles a flow payload, and parses it into
meaningful fields for contextual analysis. For example, a buffer overflow attack may require that the
engine identify the reference to a buffered parameter at the application layer and then evaluate its
characteristics to detect an attack. To prevent the negative traffic from reaching its target, the instant a
flow is determined to be malicious the packet drops along with any future packets belonging to the
In order to detect malicious traffic targeted at system vulnerabilities, a variety of detection filters are
required. Some attacks are detected with specific signatures or pattern matching filters (known exploits
with distinct bit patterns). Other attacks require more sophisticated filters that are expressed with rules
that utilize protocol and application-level decoders (such as buffer overflows). Finally, multi-flow attacks
require filters that gather statistics and expose anomalies over an aggregation of flows (such as network
sweeps and packet flooding).
Third Party Testing and Performance
In January 2004, The NSS Group, the world’s foremost network and security testing organization,
released the results of the first comprehensive security and performance test for Intrusion Prevention
Systems. Participating in the testing were products from ISS, Netscreen, Network Associates,
TippingPoint, and TopLayer. Over the past six-year history of NSS testing, NSS has awarded only three
NSS Gold Awards to any products. After the rounds of IPS testing, only TippingPoint was bestowed the
honor of the NSS Gold Award. This was the first NSS Gold award for an Intrusion Prevention System.
The suite of over 750 individual tests is by far the most comprehensive in the industry. Each product was
evaluated for performance characteristics, security accuracy and usability. The complete test results are
available for download at http://www.nss.co.uk.
In the performance category, the TippingPoint IPS uniquely demonstrated switch-like latency and gigabit
throughput under all test conditions. In some latency tests, the IPS outperformed the competition by an
order of magnitude. Furthermore, in the
Test UnityOne Results
application latency tests, TippingPoint was the
Attack Recognition 100%
only vendor that did not impact response times
Resistance to False Positives 100%
under any load conditions. Evasion Baselines 100%
Packet Fragmentation and Stream Segmentation 100%
With regard to security accuracy, the IPS was URL Obfuscation 100%
flawless and resilient to all forms of evasion. Miscellaneous Evasion Techniques 100%
Out-of-the box, the IPS attack blocking Stateless Attack Replays (Mid Flows) 100%
accuracy was unmatched by any other Simultaneous Open Connections (Default settings) 100%
product, never blocked legitimate traffic. Simultaneous Open Connections (After tuning) 100%
UDP Traffic To Random Valid Ports 100%
In the usability category, the TippingPoint HTTP “maximum stress” traffic with no transaction delays 100%
Security Management System was considered HTTP “maximum stress” traffic with transaction delays 100%
best of breed. In addition to an intuitive Protocol mix traffic 100%
interface, the alert handling, analysis and “Real World” traffic 100%
reporting were deemed flexible, powerful and Latency Exceptional (<116 us)
User Response Times Exceptional (<1ms)
easy to use. The policy editor was highlighted
Stability and Reliability PASS
as the best ever seen by NSS.
Management Interface PASS
Traffic Detection and Management
The primary obstacle in managing Peer-to-Peer applications is the detection of Peer-to-Peer traffic. The
Threat Suppression Engine of the TippingPoint IPS provides high performance network processors to
perform total packet flow inspection at Layers 2-7. TippingPoint develops programmed signatures, called
Filters, to detect and manage the network flows of Peer-to-Peer applications. For these filters,
TippingPoint has focused on two areas of the Peer-to-Peer applications:
Connections to SuperNodes / hubs (Logins, searches, etc)
As discussed in Peer-to-Peer Architectures, most current versions of Peer-to-Peer applications are
utilizing an architecture that involves SuperNodes or Hubs. The peers typically create a persistent TCP
connection to the SuperNode. This peer then performs logins, searches and other vital functions using
the persistent connection. The ability to detect and manage the connection(s) from the peer to the
SuperNode provides great control over the Peer-to-Peer network. And in turn, blocking the network traffic
on this connection effectively disables the Peer-to-Peer application.
The second focus area was the file transfers between peers. File transfers account for the majority of
Peer-to-Peer traffic and are a major concern for Enterprises or University attempting to control piracy
issues. File transfers generally breakdown into two types: GET and PUT (or SEND). A peer typically
requests a file from another peer by issuing some form of GET request. In other situations, a PUT
command issues to a peer to instruct the application to perform an out-bound connection to another peer
and then transfer the file. In some cases, the GET/PUT command occurs over the persistent Peer-to-
SuperNode connection, or the command occurs over the Peer-to-Peer connection. In the case where the
request occurs on the Peer-to-Peer connection, the file transfer can be blocked or rate-limited. In the case
where the request occurs on the Peer-to-SuperNode connection, the file transfer can only be blocked.
In the connection between a Peer-to-Peer or Peer-to-SuperNode, there are two sides to the conversation,
involving a request and a response. In the detection of Peer-to-Peer traffic, are written for the request or
for the response, depending upon which is easier to detect.
The following are examples of how the TippingPoint solution detects early versions of Ares Galaxy
The following is a packet trace of an initial packet between an Ares peer and an Ares SuperNode:
08/02-10:47:24.860916 184.108.40.206:1049 -> 220.127.116.11:28182
TCP TTL:128 TOS:0x0 ID:278 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0xA125399B Ack: 0xD2CE152B Win: 0x4470 TcpLen: 20
03 00 5A 04 03 05 ..Z...
The first two bytes represent the length of data following the next byte, which is an opcode. These six
bytes are always sent as the first command in a connection to the SuperNodes.
A filter to detect this request instructs the Threat Suppression Engine to perform deep inspection to
determines the characteristics match as Ares login traffic. If the content matches, the traffic is tagged and
handled according to the assigned actions, such as block.
The following example is the packet trace of an Ares file transfer request to a peer:
03/03-15:23:25.743583 18.104.22.168:5240 -> 22.214.171.124:3173
TCP TTL:128 TOS:0x0 ID:37365 IpLen:20 DgmLen:242 DF
***AP*** Seq: 0x5B4F6C02 Ack: 0x320518DA Win: 0x43D4 TcpLen: 20
47 45 54 20 73 68 61 31 3A 6F 77 42 75 55 6D 67 GET sha1:owBuUmg
41 4A 49 79 50 71 6E 79 4E 58 76 38 31 49 70 51 AJIyPqnyNXv81IpQ
43 64 67 63 3D 20 68 74 74 70 2F 31 2E 31 0D 0A Cdgc= http/1.1..
55 73 65 72 2D 41 67 65 6E 74 3A 20 41 72 65 73 User-Agent: Ares
20 31 2E 38 2E 31 2E 32 39 34 30 0D 0A 58 2D 4D 126.96.36.19940..X-M
79 2D 4E 69 63 6B 3A 20 0D 0A 58 2D 42 36 4D 49 y-Nick: ..X-B6MI
3A 20 70 68 35 6B 68 65 33 74 68 43 43 49 63 6D : ph5khe3thCCIcm
57 37 0D 0A 58 2D 4D 79 4C 49 50 3A 20 31 38 39 W7..X-MyLIP: 189
39 41 34 38 33 0D 0A 58 2D 42 36 53 74 3A 20 73 9A483..X-B6St: s
7A 53 42 32 48 36 75 58 5A 64 41 6B 6D 4F 4C 62 zSB2H6uXZdAkmOLb
76 39 6B 72 77 69 31 78 44 50 73 45 77 3D 3D 0D v9krwi1xDPsEw==.
0A 52 61 6E 67 65 3A 20 62 79 74 65 73 3D 30 2D .Range: bytes=0-
32 36 32 31 34 33 0D 0A 0D 0A 262143....
As detailed in the packet trace, the GET request specifies the file to be retrieved by the hash ID of the file.
As detailed in Ares Galaxy Network, Ares uses the Secure Hash Algorithm 1 (sha1) to represent each file.
The SHA1 ID in the above request has the following characteristics:
The SHA1 hash is 120 bits and is then encoded into base-64
In base-64, 24 bit groups (3 bytes) are divided into four 6 bit groups
Each 6 bit group is used as an index into an array of 64 characters
The 64 characters are [a-zA-Z0-9+/]
Since the last 3 byte group is only two bytes (20 mod 3 = 2), the encoding is always padded with
a single ”=”
Based on these characteristics, a filter to detect this request would instruct the Threat Suppression
Engine to deeply analyze each packet using an HTTP decoder and to search for an HTTP GET method
request. A GET request will begin with a GET string and end with a HTTP/1.n string. The string
between the GET and the HTTP is referred to as a Uniform Resource Identifier (URI).
Secondly, the filter instructs the HTTP decoder to search within the GET request for a URI that includes a
SHA1 Hash ID’. The decoder would use a Regular Expression engine to test for an SHA1 Hash ID with
the detailed characteristics. Lastly, the filter instructs the decoder to perform a regular expression match
for the User Agent specification.
Any packet that matches all of the above these characteristics is tagged as Ares file transfer traffic and is
handled according to the assigned actions, such as block.
Detecting Evasion Techniques
Early versions of the Peer-to-Peer applications were easy to detect and manage; however, as the
network administrators and various interest groups like the RIAA learned to monitor or block the Peer-to-
Peer applications, the software has evolved. There are 4 main techniques used by the Peer-to-Peer
applications to avoid detection:
The first Peer-to-Peer applications used statically defined ports for most or all communications. For
example, versions of KaZaA, before version 2.02, used port 1214 for both UDP and TCP
communications. It was a simple task for network administrators to block the KaZaA applications by
configuring the firewall to deny access to UDP and TCP ports 1214. The Peer-to-Peer developers
responded by changing the software to utilize user-defined or dynamic ports. Some Peer-to-Peer
applications allowed the user to specify port 80 as the default port, which the firewall normally allowed.
Other applications would randomly chose a default port at installation time. This, of course, required
changes to the protocol as well, sending port numbers w with IP addresses. By utilizing dynamic ports,
Firewalls that only inspected layers 2 and 3 of the network protocol were no longer useful for blocking
Peer-to-Peer traffic. For in-depth detection of Peer-to-Peer and malicious traffic, the TippingPoint IPS
inspects layers 2-7, controlling traffic using dynamic ports.
Firewalls had also caused a problem for file transfers between the peers. If one of the peers ran behind a
firewall or NAT device, the external peer could not form a TCP connection to the internal peer. The Peer-
to-Peer applications then evolved and began using commands from the SuperNode to instruct the internal
peer to connect out to the external peer. Due to TippingPoint’s ability to perform full packet inspections,
filters were developed which could detect the file transfers in either direction.
As a means to hide the IP address of the Peer-to-Peer user, some Peer-to-Peer applications support the
use of Proxy Servers. The Peer-to-Peer system performs a connection to a Proxy Server, which then
forwards the requests to other systems. The use of Proxy Servers is also used to tunnel the traffic
through a firewall by redirecting the traffic through port 80. For example, EarthStation5 can spread a
connection among multiple Proxy Servers. Proxy Servers and Tunneling have no impact on the detection
capabilities of the TippingPoint solution as specific filters have been developed to catch this traffic.
Peer-to-Peer applications also use various forms of encryption to hide the actions of the users. These
range from simple algorithms like XOR used by WinMX to complex algorithms like SSL used by
EarthStation5. Due to the inspection and decoding capabilities of the Threat Suppression Engine, filters
can detect the encrypted traffic of Peer-to-Peer networks.
While not an evasion technique, a new challenge has developed recently in the detection of Peer-to-Peer
traffic. Several Peer-to-Peer applications, such as MLDonkey and the latest version of Morpheus, have
added support for multiple networks. For example, MLDonkey also connects to BitTorrent, Gnutella,
Gnutella2, FastTrack, Soulseek, Direct-Connect, and OpenNap while Morpheus can connect to
Gnutella2, FastTrack and eDonkey2000. Due to different programming languages or lack of knowledge
regarding the proprietary protocol, the commands sent over the network are slightly different from the
original clients. Despite the differences in format, by modifying filters the TippingPoint IPS can detect the
new client for the Peer-to-Peer network.
Actions for Peer-to-Peer Traffic
When the system detects Peer-to-Peer traffic, the triggered filter(s) enacts an assigned Action Set. This
action set determines the response of the system against the traffic. The TippingPoint IPS provides two
primary actions for managing Peer-to-Peer Traffic:
For many customers, preventing the use of Peer-to-Peer applications within the network is the answer.
This method offers the most legal and security protection while freeing up the most bandwidth. The IPS
provides a category of filters titled Misuse & Abuse, which includes all Peer-to-Peer filters. This category
can be enabled and the Action Set configured as Block to prevent the operation of all Peer-to-Peer
If a finer granularity of control is desired, individual filters within the Misuse and Abuse category can be
enabled/disabled to prevent/permit individual Peer-to-Peer Networks. For example, an administrator may
want to allow a company sponsored internal Peer-to-Peer network to operate for internal distribution of
company data. In this case, an administrator would disable the filters for the company sponsored Peer-to-
For some organizations and companies, such as Universities, blocking all Peer-to-Peer applications is not
an acceptable approach. The IPS provides the ability to block Peer-to-Peer applications uni-directionally
as opposed to the default bi-directional mode. This allows the University network to permit the students to
download files onto the network and transmit them to each other while blocking attempts to upload files
From the University network. To configure uni-directional support, an administrator enables the desired
Peer-to-Peer filters and creates exceptions for IP address ranges of allowed systems.
If blocking the use of Peer-to-Peer applications is not an acceptable alternative for an organization, the
TippingPoint IPS also offers the ability to Rate-Limit the Peer-to-Peer traffic. This feature allows the
network administrator to cap the amount of network bandwidth utilized by Peer-to-Peer applications.
Typically, the administrator creates a single Rate-Limit (e.g. P2P-20 Mb) and assigns this Rate-Limit as
the Action Set for the Misuse and Abuse category. This will assign all Peer-to-Peer traffic detected by the
TippingPoint IPS to a traffic pipe with a maximum bandwidth configured by the administrator.
The IPS is also able to provide fine-grain rate shaping and blocking of Peer-to-Peer traffic. Rate-limiting
can be applied independently to filters. The IPS supports 100 rate-limit action sets with ranges from Kbps
to Mbps depending on the IPS model, giving network administrators the power to create rate-limits
according to Peer-to-Peer application and technique.
Using rate-limits, network administrators can fine-tune bandwidth protection:
One Packet or Flow Matching Multiple Rate-limiters — A single packet can match two rate-
limiters. A single flow can also match two rate-limiters (such as different packets in the flow match
different filters). In either case, the engine allocates the packet (and the flow) to use the slower of
the two rate-limiters.
Multiple Filters Using The Same Rate-limiters — When two or more filters use the same rate-
limit action set, then all packets matching these filters share the rate-limit bandwidth amount. For
example, if filters A and B use the same 10Mbps rate-limit action set, then those filters share the
10Mbps pipe as opposed to each filter receiving individual 10Mbps pipes.
The TippingPoint IPS can also provide uni-directional and bi-directional rate limiting of Peer-to-Peer
applications. By utilizing the device’s Peer-to-Peer capabilities, an organization can:
Rate shape Peer-to-Peer traffic originating from outside of the core network to a lower bandwidth
than traffic originating from within the network, thereby encouraging Peer-to-Peer clients to
download from within the network and saving peering costs.
Rate shape Peer-to-Peer traffic exiting the core network to the internet to a lower bandwidth,
thereby discouraging Peer-to-Peer clients outside of the network from downloading from clients
within the network and saving peering costs.
The IPS can prevent the monitored traffic from exceeding or consuming more than a preset amount of
network bandwidth. This powerful capability controls excessive bandwidth consumption of non-mission
critical applications and ensures bandwidth availability for mission critical traffic.
Digital Vaccine Service
Peer-to-Peer technology and applications are continually
evolving with more features and capabilities. As the RIAA
and MPAA continue to wage their battle against the piracy of
copyrighted material, the Peer-to-Peer applications continue to
make their networks stealthier.
In order to provide continued management of Peer-to-Peer
traffic, the TippingPoint IPS must evolve as well. This is
accomplished through the Digital Vaccine Service. The
security professionals at TippingPoint are constantly upgrading
existing and developing new filters to detect and manage the
Peer-to-Peer traffic. The changes to the filters are distributed
in a package called Digital Vaccine. Digital Vaccines are
delivered to customers every week and can be deployed
automatically with no user interaction required. New filters are
continuously fed to the IPS to keep it up-to-date against the
latest Peer-to-Peer applications.
Advantages of Managing Peer-to-Peer Traffic
In the sections below, we will show how TippingPoint can be
utilized to solve the Legal Liabilities evolving around the Peer-
to-Peer applications and the resource constraints imposed
on the Enterprise, University and Broadband Service
Provider. We will also examine the Return on Investment seen
by customers who have deployed the TippingPoint IPS for managing Figure 6: Digital Vaccine
The possibility of legal action regarding the piracy of copyrighted material is very real for many
Universities and Enterprises. One of TippingPoint’s customers, the University of Dayton, estimates that
they received a dozen letters per month threatening legal action for piracy. After implementing the
TippingPoint’s Peer-to-Peer Piracy Prevention feature at the University of Dayton, the log reports detailed
the system blocked over one million shared files each month from leaving the university network. Using
the extensive reporting capabilities of the IPS, network administrators can receive and review detailed
evidence detailing the actions taken to prevent piracy.
Peer-to-Peer traffic often has a negative impact on many networks. Peer-to-Peer traffic can consume up
to 60% of a service provider’s network, similar percentages apply for Enterprise and University networks.
The ability of the TippingPoint IPS to rate limit Peer-to-Peer traffic is a major and immediate cost saving
feature for TippingPoint customers. Additional bandwidth is an expensive commodity to add to the
Network. For internal networks, it requires dividing the network into additional subnets or an upgrade to
higher bandwidth technologies. Both approaches require large capital equipment expenditures to achieve.
For access to external networks, this requires the purchase of additional bandwidth from service
providers. For Broadband Service Providers using asymmetric networks, the ability to rate-limit Peer-to-
Peer traffic on the upstream channel can provide immense benefits in customer satisfaction and capital
The following figure details a real world example from a TippingPoint customer that began using rate-
limiting on the Peer-to-Peer traffic in their network. Notice once the P2P rate limiting begins, mission
critical traffic flow increases. It is easiest to see with the blue HTTP traffic. This details the effect non-
mission critical traffic has on a constrained bandwidth network, and the positive effect of managing that
traffic with the IPS. Rate limiting the illegitimate traffic clears the pipe for the transmission of mission
Figure 7: This graph details an eight-day period. Each peak represents the peak traffic during that
day. All of the red data represents P2P traffic, which is rate-limited to 45Mbps on day three. The
data in blue and green represents mission critical traffic: Oracle, E-mail, and HTTP. It is not rate
limited receiving the full bandwidth advantage of the pipe.
In another customer example, the University of Dayton installed the TippingPoint IPS. Administrators
chose to allow students to retrieve shared files outside the university network, but blocked people outside
the university network from retrieving shared files located within the university. After implementing the
TippingPoint IPS, reports detailed the system blocked over one million shared files per month,
augmenting the organization’s bandwidth availability. Results from the University of Dayton showed that
the peak rate of bandwidth consumption without blocking P2P traffic or using bandwidth management
tools was approximately 30 Mbps. After blocking P2P traffic uni-directionally with the IPS, bandwidth
consumption dropped to a low of 17 Mbps within the first 30 minutes, giving a 43% increase in bandwidth
Return On Investment
The ability of the TippingPoint IPS to rate limit Peer-to-Peer traffic is a major cost saving feature and
provides a substantial factor in calculating the Return On Investment (ROI) for purchasing the device.
Broadband Service Providers have discovered that TippingPoint is unique in its ability to provide network
security and management of Peer-to-Peer applications over a heavily loaded gigabit network.
Cable MSOs are deploying the IPS today for security and bandwidth management, and they are
experiencing significant Return on Investment. For every $100,000 invested in TippingPoint, Cable MSOs
are seeing a $1M to $2M return in the first 12 months, which is typically split between security-related
benefits and bandwidth management-related benefits.
75% of the immediate ROI typically results from the benefits of blocking malicious traffic including:
Reduced customer support expense
Reclaimed network infrastructure capacity
Reduced network operation expense, especially during times of attack
The other 25% of the ROI typically results from the savings related to rate limiting upstream peer-to-peer
Reduced bandwidth expense
Reclaimed network infrastructure capacity
A high-performance intrusion prevention system can provide network security and management of Peer-
to-Peer applications, protecting vulnerable computers from compromise and conserving valuable network
resources. The same ability to identify and block malicious traffic in transit, can also be used to identify
and block or rate limit Peer-to-Peer traffic.
In order for an IPS to provide network security and management of Peer-to-Peer applications in today’s
networks, the device must perform well on multiple fronts simultaneously. Specifically, the IPS must
implement high precision filters, handle a heavily-loaded gigabit network with a full filter set enabled (no
dropped packets), and with low packet latency. To date, TippingPoint’s IPS is the only IPS shown to be
capable of meeting these fundamental requirements.10
The Growing Use of Peer-to-Peer File Sharing networks
Napster Ordered to Shut Down
Gnutella RFC Documentation
eDonkey pulls ahead in European P2P race
Incentives Build Robustness in BitTorrent (by Bram Cohen author of BitTorrent)
'BitTorrent' Gives Hollywood a Headache
RIAA, MPAA Provide Copyright Use and Security Guide To Fortune 1000 Companies
Labels settle at-work song-share dispute
NSS Group IPS Test Results, published January 2004
TippingPoint Press Release, January 2004