Regional differences in P2P
Walter De Smedt
wdesmedt at telenet.be
Sun Jul 18 12:31:16 UTC 2004
On Fri, Jul 16, 2004 at 09:32:14PM -0400, Jared Mauch wrote:
>
> On Fri, Jul 16, 2004 at 06:15:53PM -0700, Michel Py wrote:
> >
> > >>> Michel Py wrote:
> > >>> BitTorrent is a third of p2p traffic in Sweden? Wow. In
> > >>> the US it is a small blip on the radar.
> >
> > >> Petri Helenius wrote:
> > >> Should hold water for Sweden too. Wonder why so many of the
> > >> bittorrent streams terminate in the US if it's not on your
> > >> radar. Maybe time for finetuning the radar ...
> >
> > > Jared Mauch wrote:
> > > BitTorrent is in my "top ten" tcp ports in my netflow.
> >
> > Gee I must have something wrong. How does in compare to the
> > FastTrack/Kazaa monster on your side?
>
> this is from a 10-15 min sample period, based
> on flow count, not bytecount.
>
> TOP TEN:
>
> (tcp)
> 80, 25, 6699, 4662, 1433
> 443, 445, 6881, 7171, 6346
>
> (udp)
> 53, 6257, 27960, 1026, 135
> 27015, 22321, 1027, 3310, 28960
>
> - jared
>
How are ISPs monitoring P2P traffic these days? Monitoring based on
Netflow/cflowd data and fixed port numbers for application
classification doesn't seem to do the trick anymore as more P2P
applications use random port numbers or even use port 80, with the
purpose of circumventing potential ISP policies or accounting.
With Netflow/fixed port nrs the amount of 'unknown traffic' is
increasing steadily.
The next step in P2P recognition seems to be deep packet inspection with
signature based detection. The major problem here is scalability - I
don't see some device analyzing 1G, the typical uplink capacity of
Internet gateways in a medium SP network, of traffic at layer 7.
If this should be feasable, what if P2P applications would employ
encryption schemes (e.g. IPSec) - this would render signature-based
recognition useless.
-walter
More information about the NANOG
mailing list