Why should we care about Peer to Peer (P2P) file-sharing on our network?
Is peer-to-peer a bad thing?
Peer-to-peer is a fantastic way to distribute data to a large number of people through a decentralized network of users. For example: Microsoft uses Bittorrent like protocol to distribute it's Windows 10 updates (if you're not using WSUS), Blizzard Entertainment uses it to distribute content for Starcraft II and Diablo III.
Unlawful peer-to-peer apps
So there are good peer-to-peer file-sharing protocols. But what about the 'bad'? In business we might consider the illegal downloading of movies and music as 'bad'. Applications like Bittorrent often facilitate this activity.
Bittorrent is not the only P2P file-sharing protocol of course, it was made (in)famous by Napster in the late 90s. Other P2P protocols like LimeWire, Gnutella, Kazaa, eDonkey2000 and others also exist.
It is these peer-to-peer applications that are often used for unlawful behaviour, and it is these applications you should be able to detect on your network.
So how do we detect P2P file-sharing?
You won't find it by looking at Layer 4 (transport layer)
The transport layer of the OSI model is where most routers and switches stop with their monitoring capabilities. At this layer you'll be able to see source and destination ports and IP addresses. Why isn't this enough? Well take a look at this chart:
It's just a mess of random high level ephemeral ports
Deep packet inspection brings clarity to Internet traffic
Deep packet inspection occurs at layer 7 of the OSI model
Some high end switches and routers use deep packet inspection to detect Internet traffic types at the application layer (layer 7). Without deep packet inspection it would be difficult, or impossible, to determine application types.
Lets have a look at an Internet link on a business network using deep packet inspection:
All applications are clearly labeled, even the hard to detect peer-to-peer traffic.
What do we know about the good and the bad?
- Both the good and the bad peer-to-peer file sharing use random high level ephemeral ports
- They're both very difficult to detect using standard switch and router monitoring capabilities
- Deep packet inspection is critical to determining application type