[Dshield] Enquiry about strange network usage by user

Ed Truitt ed.truitt at etee2k.net
Sat Oct 8 11:12:48 GMT 2005


I think it is time that, if your org has a policy forbidding this type of activity, then you gather the evidence (for example, packet captures showing BitTorrent usage, and logs showing where/ when the transfers were done) along with your communication of the ban, and let his management deal with it (preferably in a public manner, 'as a lesson to others'.). BT is certainly a type of P2P traffic, mostly used for high-volume stuff (like movies, or ISO image files.)

Sometimes technical controls aren't enough, and need enforcement of policy controls to be effective.

-EdTr.
-----Original Message-----
From: Michael Thompson <mike at thompsonmike.co.uk>
Date: Fri, 7 Oct 2005 21:34:28 
To:"General DShield Discussion List" <list at lists.dshield.org>
Subject: [Dshield] Enquiry about strange network usage by user

I have banned a user from using all P2P software, and put in place a block on 
the firewall to prevent it being used.

I am watching the network sniffer logs, and I see loads of this:

158.053449 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.103187 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.113353 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.160275 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.179096 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.224196 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050
158.233660 192.168.1.28 -> 141.84.69.81 UDP Source port: 3056  Destination 
port: 1050

For about 5 minuites, then loads of handshakes and transfers from Bittorrent. 
What are these mass UDP connections?? Any one know? Part of the P2P crap?

Any help appreciated...

-- 
Mike

To see the world in a grain of sand,
and to see heaven in a wild flower,
hold infinity in the palm of your hands,
and eternity in an hour.

GnuGPG KeyID:=FC0D8D9A
http://www.thompsonmike.co.uk

I don't need to outrun the bear, just the guy next to me...
_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Cheers,
-E D Truitt

Sent via my BlackBerry from Cingular Wireless


More information about the list mailing list