Detecting And Blocking Of BitTorrent Transmission

BitTorrent was presented by Bram Cohen in 2002 for distributingfiles. Because of its excellent performance, BitTorrent becameworld-famous in a very short time and it became the most popular wayfor downloading files.BitTorrent is an advanced P2P protocol. It differs from the classicP2P protocol a lot. The most special feature is that, it keepsdownloaders uploading pieces of files to each other, so they can makethe best of the bandwidth and reduce the bandwidth load for the peerinitially sharing the files. Generally speaking, the more the peers are,the higher the downloading speed can be, so BitTorrent is quite fit forsharing big files such as software and movies.The act of BitTorrent transmission refers to five entities: files tobe shared, metainfo file, web server, tracker server and BitTorrentclient. The metainfo (.torrent) file is a BEncoding described text file,including the description and index of the files to be shared. Somecertain parts of the metainfo file can be SHA1 hashed into 20 bytes,which is the only identifier of the BitTorrent task and we name itinfo_hash. The web server runs an ordinary web service, and usersmay publish or download metainfo files here. The tracker server keepsa few of peer lists corresponding to each BitTorrent tasks.Here is an example of a typical process of BitTorrent transmission:User A wanted to share some files, then he created a metainfo file forthem and published the metainfo file on the web. After that, user Bintended to download the files which user A was sharing. So, user Bdownloaded the metainfo file and opened it with a certain BitTorrentclient. As soon as he clicked to run the current BitTorrent task, theclient sent several status reports to every tracker server over HTTP andin a second, each tracker returned a list of peers who weredownloading the same thing. And afterwards, user B's client sentseveral handshake messages to the peers on the list, got connected andstarted to download. After he finished downloading, he shouldcontinue to upload data to the other peers. The piece downloadingstrategy, the queuing algorithm and the chocking algorithm guaranteedthe excellent performance of the BitTorrent transmission.There is no doubt that BitTorrent is an advanced technology fordistributing files. But the unlimited using of BitTorrent will result inthe exhaustion of bandwidth. If there are some BitTorrent downloadersin an Ethernet, the other users will suffer from a low-speed connection.On the other hand, though BitTorrent can be used in distributingimages of Linux disc or netgame clients, it also helps people to sharepirate copy of software and movies. So, it is necessary to monitor andlimit the using of BitTorrent.In order to detect the BitTorrent transmission, we should sniff allof the data packets, and distinguish BitTorrent packets from the crowd.Since most of the BitTorrent packets do not have evident characters,there is no direct way to know which packet is created by BitTorrentand which is not, so we have to identify them indirectly. Fortunately,there are two categories of packets which can be easily recognized tobe BitTorrent packets. They are the status report from peer to trackerand the handshake between peers. From the two categories of packets,we can get some IPs and ports which is running BitTorrent. We canalso know which port is listening port, and which connection isBitTorrent connection. We may take it for granted that connection,with a listening port in one end, is BitTorrent connection, and we canalso consider every packets on a BitTorrent connection to beBitTorrent packets. Interpreted with BitTorrent protocol, the packetscould give us more details. From the relationship between peers andthe details, we can know a lot about the whole structure of theBitTorrent network, such as the IPs and ports of a connection, theinfo_hash of the task they are running, the trackers they are using, thepeers they have connected, the speed of their downloading anduploading. Further more, we can identify the HTTP downloading ofmetainfo files by matching some certain strings. If we copy everypacket in the downloading procedure and compose them together inorder, then what we get is a whole metainfo file. The metainfo filecontains the directory names and file names of what is sharing, and thecorresponding info_hash can also be transpired from the metainfo.Based on the recognition of BitTorrent transmission, we may takevarious actions to block it. The most easy and practical way is that,configure the network device, so it is able to drop the packets whosedestination is a tracker server. If that works, though we can not blockall of the BitTorrent transmission, users may have great difficulty inbeginning the downloading. To block all of the BitTorrent packets, wehad better develop a kind of network device which can recognize theBitTorrent packets and then drop them, using the monitoring techniquedescribed above. But before that, we could also take other steps, whichis different in approach but equally satisfactory in the result. If wefound that a status report was sent from peer to tracker server, we willcounterfeit an ACK packet and send it back to the peer. Then the peerwill think that there is no other peer downloading the same thingtogether, so the downloading can not begin. If we found that ahandshake message was sent from a peer to another peer, we will alsocounterfeit an ACK packet and send it back to the peer who originallysent it. In that packet, the flag RST will be set, so the BitTorrentconnection will be killed silently. To carry it out, we should deploy aPC near the switch. The PC must have two Ethernet cards, one forreceiving all of the packets passing through the switch, and the otherfor sending counterfeit packets. The technique of sending counterfeitpackets is just like session-hijacking, which is often used by hackers.But what we want to do is break the BitTorrent connection and thenormal use of network is not likely to be influenced.According to the theory of detecting and blocking of BitTorrenttransmission described in this text, I programmed to carry them out.They are BtMonitor for detecting and BTwall for blocking. The twoprograms are base on Windows, and the IDE is Microsoft VisualC++ .NET 2003. And I have used WinPcap, which is an open sourcelibrary, to capture packets. As long as we deploy the two programscorrectly, the functions of BitTorrent detecting and blocking will workwell and that also proves the theory represented above to be true.