For what it's worth - pattern-based traffic policies were supported by a number of firewall vendors at least three years ago. Vast majority of these boxes from the vendor I was working for went directly to ISPs.
If I am to guess, I'd say that encrypted p2p traffic is detected as a combination of factors - one is being of a known unwanted protocol or NOT being one of "benign" ones, and two - having a lot of randomness to it. Or it could be something as simple as capping SSL sessions on non-standard ports (not 443, 995, etc). The idea of hiding data in HTTP streams is pretty old, there is very clever GNU httptunnel project, which can be further combined with something like stunnel to build encrypted data stream that looks and smells like HTTP. Throttling down HTTP with a lot of randomness in it is very impractical, because it would effectively kill all JPG and PNG downloads .. or any decently compressed stuff for that matter. With SMTP the situation is different, because more and more ISPs intercept outbound connections to port 25 in an effort to deal with spam botnets. So, I'd say SMTP is no go. It'd be interesting to see if ICMP can be used to bypass filters. There's actually a slim chance that ICMP tunneling can also be used to bypass even general bandwidth caps. Alex > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of H. > Lally Singh > Sent: Wednesday, September 19, 2007 2:09 PM > To: theory and practice of decentralized computer > networks<[email protected]> > Subject: Re: [p2p-hackers] How do ISPs detect p2p traffic? > > C'mon, I doubt these guys are that sophisticated. They're > not going to buy > specialized hardware to scan for this stuff, nor develop > anything to fancy > when their biggest concern are the Kazaa customers who leave > their machines > online all day, uploading gigabytes of data. > > I'll guess port # range,probably mixed in with some bandwidth > use thresholds > before throttling. > > > > On 9/19/07 5:04 PM, "Michael Rogers" <[EMAIL PROTECTED]> wrote: > > > Charles Iliya Krempeaux wrote: > >> Maybe people should be hiding things out in the open. > Like, make it > >> look like normal (unencrypted) HTTP, SMTP, or POP3 traffic > (or something > >> pretty common like those)... and hide the data in the data stream. > > > > It would be interesting to know how they're detecting > encrypted traffic > > - measuring redundancy, as in the recent Skype paper, or > just throttling > > anything that's not a recognised plaintext protocol? If the > former, how > > much redundancy do you have to add to get round the filter? If the > > latter, can you just tack "GET / HTTP/1.0" to the beginning of every > > connection? > > > > Cheers, > > Michael > > _______________________________________________ > > p2p-hackers mailing list > > [email protected] > > http://lists.zooko.com/mailman/listinfo/p2p-hackers > > > > -- > H. Lally Singh > Ph.D. Candidate, Computer Science > Virginia Tech > [EMAIL PROTECTED] > > > > > > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
