How to stop torrents at work?
August 11, 2008 7:13 PM   Subscribe

I'm sure this question will not make me the most popular student at the dance, but is there a way to identify (via IP) machines running BitTorrent clients within an internal network (ie. work)? My company has around 50 employees, and the old, "Please don't torrent at work" doesn't seem to be doing much good anymore. It brings our email and web browsing to a near standstill, and dropping by the "usual suspects" is not only tiresome, but doesn't seem to find all the sources of traffic any longer. Any help would be appreciated, thanks.
posted by numlok to Computers & Internet (26 answers total) 5 users marked this as a favorite
Well, there are two main ways. One is to buy expensive commercial traffic shaping software and use that.

The other is to get a simple network monitoring tool (many of these are free, but you'll have to ask someone else for a program name) hooked up to your server/router/whatever device you use as your company gateway. You don't have to analyze a single packet, just look for an address that has a lot of traffic spread out over a large number of simultaneous connections and is both downloading and uploading. That's a pretty clear giveaway that they're doing something they shouldn't be, as simple downloading, even of really big files, tends to only use a single connection and should be largely one way. You can then either drop the banhammer or execute whatever reprisals you feel are necessary.

If you're looking for a way of telling when your employees are torrenting, that should do it. If you're looking for a way of preventing them from doing it... yeah, not sure I can help you there.
posted by valkyryn at 7:24 PM on August 11, 2008

do you have a managed switch? If so, I'd recommend running mrtg on the switch output; this would show you which port (and therefore which station) is using the most bandwidth. This seems like the core of the problem- there are legitimate uses for bittorrent; what you need to deal with is bandwidth utilization.

Fifty people is about the size company where investing in managed core switches starts to be useful.
posted by jenkinsEar at 7:24 PM on August 11, 2008

If you're looking for a way of preventing them from doing it... yeah, not sure I can help you there.

Fire one of them. That should do it.
posted by Mephisto at 7:43 PM on August 11, 2008 [4 favorites]

You could set up a firewall machine using something like m0n0wall or pfSense, or one of the many Linux based ones out there, between your internet connection and the LAN.

Whatever shaping solution you choose, the easiest way to shape torrents is to guarantee chunks of bandwidth to the ports you need, like web, the various mail ports, voip, etc. and throttle everything else. Open up the floodgates for traffic that's vetted, but throttle everything else to manage-able levels.
posted by tomierna at 7:44 PM on August 11, 2008 [1 favorite]

Another option is to configure your network (firewall thingie) to block all ports besides the ones you actually use in the business environment (HTTP = 80). This will avoid the whole cat-and-mouse chase.
posted by Ky at 7:45 PM on August 11, 2008 [1 favorite]

You could send a fake-but-not-really cease and desist notice to the usual suspects. Make it seem like it came from the real guys (but obviously don't lie for legal reasons, just use scary language).
posted by phunniemee at 7:56 PM on August 11, 2008

Ky writes "Another option is to configure your network (firewall thingie) to block all ports besides the ones you actually use in the business environment (HTTP = 80). This will avoid the whole cat-and-mouse chase."

Don't use a hand grenade when a scalpel will do the job.

Besides, plenty of businesses use FTP (which just grabs up ports), SSL (port 443), email (ports 25 & 110), and telnet (port 23).
posted by orthogonality at 8:02 PM on August 11, 2008

So, this may be a completely noobish answer, but couldn't you either (or both)

1) block the torrent sites via the network firewall.

2) take a look at the installed programs on each computer (assuming they are desktops that are left at work at the end of the day) and see who has a torrent client installed? This is a bit tedious, but if you follow up with an official reprimand and a threat that it could affect the employees next review, I'm sure you would kill the practice.
posted by oddman at 8:04 PM on August 11, 2008

Look into SNORT. It is a free and respected Intrusion Detection System. It can be a little tedious to set up but if you can mirror a port near the top of your network (close to WAN router), it will tell you what you want. IDS a nice system to have even if you're not on the hunt. I use a commercial IDS at work and it provides all types of nifty info about what is going down on the network.

You can also mirror a port to a computer running Wireshark and filter on the well known bt ports.
posted by nivekraz at 8:06 PM on August 11, 2008

I just checked Wireshark and you can filter with just "bittorent" in the filter box. Pretty easy.

And to stop them, block them with your firewall (if it's commercial, it probably has some bittorrent rules built in) or use an access list in your router to block the ports. If you have policy aware switches, you can block them at the user port.
posted by nivekraz at 8:17 PM on August 11, 2008

In between the suggestions of Ky and orthogonality, you could just restrict the confirmed (or merely suspected) culprits to port 80, and only let them back on to an unrestricted network once they get their shit together.

Or just fire one of them. I like that one, too.
posted by astrochimp at 8:20 PM on August 11, 2008

Use tools to analyze the traffic. For so few users, I'd use wireshark, myself. It shouldn't take long to find the person with the highest traffic usage. You could then examine their packets deeper, or just go to their desk and tell them:

a) You know what they are doing.

b) Continuing to do that will now result in being fired, as they are now officially warned.

c) If it is company policy they keep their shit on the corporate fileserver, time to wipe their hard drive with DBAN so there's no warez on their machine, and check out their stuff on the servers for warez too. If they need to get their "important stuff" off the machine first, inform them they may save it to the fileserver while you watch. Remind them that warez on the fileserver will be deleted. No bringing that stuff home, no USB sticks, no DVD burners, none of that.

d) If you can't fire them for a second violation, use your filewalling software to throttle them to 50 kbits. It's enough to do basic websurfing (although it is a little slow), but way to slow to make torrents useful. And even if he keeps doing it, he won't impact your other users. I might also suggest you install some web proxy software like squid so that they can bypass the 50 kbit limit. Of course, AFAIK, there's no way to do anything but direct-download warez over an http proxy, unless they guy has the balls to try out httptunnel. At which point you might want to consider him for a different job... :-D
posted by shepd at 9:00 PM on August 11, 2008

numlok, what kind of client OSes and do the users have local administrative privileges? Given the answers, there may be ways you can deal with this from the client workstation end too.
posted by JaredSeth at 9:00 PM on August 11, 2008

Login to your firewall's administrative interface. You probably have a mid-class device that will give you at least some stats on incoming and outgoing traffic. Look for the big numbers. If that doesn't work, do what the other folks suggest and use Wireshark or Microsoft Network Monitor on Windows.
posted by cnc at 9:36 PM on August 11, 2008

Look into ntop and the netflow protocol. Set up your network router/switch/dingus to support netflow and send it to your collector. You will then have a nice, accurate map of who's doing what. Take that, then tell the offenders in no uncertain terms this isn't allowed at work.

Technical solutions exist for throttling or blocking torrents but the protocols are constantly evolving and this isn't a war you want to get involved in. You should treat it the same way you would treat someone downloading porn at work: very bad behavior.
posted by chairface at 11:09 PM on August 11, 2008

I would issue a memo to all employees that BT at work = suspension, BT at work twice = fired.

Then I would do as someone else mentioned and log into my firewall/router's web interface when traffic has slowed to a crawl and look at the graph for which local IP is sucking up a lot of speed, then look at the computer name associated with that IP and make an immediate, focused, "Johnson power down your computer now and get in my office" visit.
posted by TomMelee at 5:02 AM on August 12, 2008

2nding Ky's approach.

Also, I haven't done this myself, but I would also think that if your corporate internet access is through a logging proxy, you could just search the proxy logs for all hits on .torrent files, join the same trackers with your own BT client, and fish out the culprits from the list of IP addresses of seeds and peers.

This could maybe even be automated by scripts - there are many good open-source BT programming libraries out there.
posted by XMLicious at 7:15 AM on August 12, 2008

A little social engineering goes a long way. With only 50 employees, it wouldn't take more than a couple hours to run some quick searches for media files, .torrent files, etc. Having the boss randomly walking the halls and 'stopping in to say hi - say what that's button do?' could go a long way as well.

The memo idea could work as well, especially if worded in such a way that implied they already knew who it was. Torrent downloaders aren't exactly known for following the rules, though the threat of losing their job may well be enough.
posted by chrisinseoul at 7:21 AM on August 12, 2008

I can recommend ntop. Convert any old spare beater PC into a linux box with two network cards, and run the web-based ntop on it. Use your switch to mirror the lan port of your 'net router into the second card of the ntop box (don't give that card an IP); it will then receive a copy of all packets going to and from your router internally from the users, and tell ntop to monitor that card.
If you can't do that with your switch, replace it, or use a hub between your switch and router, with the ntop box plugged into the hub also. Cheap and dirty, but it works. If you've no old hubs, a network tap is designed for this kind of job, but may be overkill for your needs.

You can then analyse everything that's going in and out of your network, including who's sucking up all the bandwidth at any given moment - regardless of whether it's bittorent, http or even a vpn outbound connection if they're trying to be clever in hiding it. It also keeps historical logs by mac/IP etc, network destinations etc etc.

It's up to your management policies then to deal with the offender, whether it's hitting them with a cluebat or putting them on a port restricted outbound connection. Just make sure the polices and punishment are made clear to the users before you start monitoring, if you haven't already.
posted by ArkhanJG at 7:48 AM on August 12, 2008

I can also recommend setting up a proper traffic shaping solution between your lan and the router, but that requires a greater investment in kit (you need something reliable, after all!) and a decent amount of knowledge if you're going to roll your own on moonwall et al rather than buy in a commercial solution like smoothwall corporate, or even a hardware based shaping router.

Cluebat strikes on the usual suspects with proof and management backup may well be simpler and get you less grief from the rest of the now throttled cow-workers. I speak from experience.
posted by ArkhanJG at 7:57 AM on August 12, 2008

It sounds like you're more concerned with bandwidth than potential for piracy (though I'm sure everyone is just downloading their favorite linux distro or creative-commons-licensed movie). If this is the case, one happy medium might be to manually configure all the BT clients to throttle their upload speed (this is more likely the culprit than the download speed, trust me). Your employees will be able to change them back, but depending on office politics, this might be an acceptable compromise (as opposed to firings). Of course, it does have the negative consequence of enabling those naughty employees to continue their naughty ways.

If this is impractical, go with a managed switch with a web interface. You can also configure a firewall to do something similar if you already own one, but the switch will be easier to configure.
posted by antonymous at 9:37 AM on August 12, 2008

Response by poster: Thanks to everyone for the great responses, I truly appreciate all of the assistance.

As antonymous suspected, it is true that I'm more concerned with bandwidth than content (at the moment), and I actually have personally configured several torrent apps found to upload at a max of 2kbps... However, as the "bogging" still persists, I believe there are some I've missed. I'm not generally anti-torrent, and wish I didn't have to ban its use entirely, but it seems that's going to be the easiest and most practical solution.

Having said that, I think I'm going to try and get into the switches first, and see what "trouble" I can stir up there. We are using Dell managed switches (Powerconnect 5448), so it seems to be mainly a matter of me figuring out how to do some actually "managing".

I did check out Wireshark, which looks like a very useful tool. That'll likely be my next step if I run into any issues with the switches.

Beyond all of that, I've got a really nice Cluebat on order.

Thanks again for all of your suggestions!
posted by numlok at 11:57 AM on August 12, 2008

FWIW: I remember reading an article a while back that Bittorrent creates a lot of overhead in it's co-ordination, and that it's not necessarily the amount of traffic that slows things down but intensity of requests and what-not Bittorrent does.

This isn't the article, but might give some insight. I know squat about protocols, but from what I gathered Bittorrent is not very effective and easily bottlenecks routers/switches. I know I've gummed up our wifi-router having thirty torrents going but hardly any in/out-coming downloads.
posted by monocultured at 4:52 PM on August 12, 2008

From a windows point of view you could always just set up GPOs (if you run windows and have an AD infrastructure) to restrict users from launching .torrent files. If some employees have a legitimate need for it just make a seperate OU or filter the policy... Its pretty simple if you already have the infrastructure in place.
posted by zennoshinjou at 8:53 AM on August 13, 2008

From a windows point of view you could always just set up GPOs (if you run windows and have an AD infrastructure) to restrict users from launching .torrent files.

Wouldn't that only work if they're connecting to the tracker by clicking on a link or something? I normally paste the URL of the .torrent into my BT client and I don't think a policy like the one you're talking about would stop that.

But in general, Windows policy management stuff is great.
posted by XMLicious at 2:19 PM on August 13, 2008

good point XM.. that would certainly bypass that method. There are other options from a GPO point of view but it seems like this person got what they wanted above.
posted by zennoshinjou at 8:24 AM on August 14, 2008

« Older Which ferrite cores are the best ones to stop GSM...   |   Live Blogging the Next Cold War Newer »
This thread is closed to new comments.