Phone Lines icon GFI Support Home

Articles in this section

See more

BitTorrent and Other Sensitivity Levels for Monitoring

Author: Luis Fernandes

Overview

This article describes details about the various sensitivity levels for BitTorrent.

 

Information

  • Exinda appliances allow for BitTorrent sensitivity levels to classify BitTorrent and related P2P (peer to peer) applications.

  • The higher the sensitivity level, the more potential false positives can occur. Encrypted applications are where sensitivity applies.

  • Since they are encrypted, the device must see some of the traffic and allow a small amount through before it can be identified using the Exinda Heuristics Classification engine. Exinda Heuristics analyzes and evaluates the traffic behavior for the following:

    • Stream lengths
    • Packet timing
    • Flow behavior
    • Packet size
    • Packet frequency
    • Packet contents (patterns)
    • Connection frequency
    • Connections per host
    • Response times
    • Port numbers/ranges

  • Typically, the device can classify +99.5%  of the traffic but need to see that >1% to determine the characteristics that allow for the traffic to be identified.

  • This can lead to false positives and negatives for a small number of packets.

  • When high sensitivity is used, it will lean towards the false positive side, and with a lower sensitivity, it leans towards a false negative. This becomes more critical when a discard rule is being used.

  • Exinda appliances have three sensitivity settings:

    • Low: do not attempt to detect encrypted P2P at all.
    • Med: only use known safe encrypted P2P patterns (very low chance of false positives).
    • High: use full heuristics to detect encrypted P2P patterns (still a low chance of false positives, but higher than medium).

 

Other types of Configurable Sensitivities

EDonkey Sensitivity

  • It defines how the layer 7 detection engine determines when a traffic flow may be classified as EDonkey.
  • he choices to be selected are High, Medium, or Low.
  • When set to Low, some EDonkey traffic may take several packets to classify, or may not get classified as EDonkey at all and the risk of false positives is very low.
  • When set to High, EDonkey detection is very fast and accurate, but the risk of false positives it moderate. The default setting is medium.
  • If desired, ISP/Education customers should set to High, whereas Enterprise customers should set to Low or Medium

Skype Sensitivity

  • It defines how the layer 7 detection engine determines when a traffic flow may be classified as Skype.
  • The choices are High or Medium. When set to Medium, some Skype traffic may take several packets to classify, or may not get classified as Skype at all.
  • The risk of false positives is notably low. When set to High, Skype detection is high-speed and accurate, but the risk of false positives it moderate.
  • The default setting is Medium. If improved detection is desired, all customers should set to High.


Reporting Sensitivity

  • It defines how many packets must be seen in each direction for each flow/connection before the system allows that flow/connection to be accounted for.
  • This setting should be increased for Service Providers or where the appliance is deployed on a public network where the risk of host/port scans is high.
  • This feature prevents the appliance's internal databases from been filled up with data from denial of services (DoS) attacks, port scans, etc. The default setting is 5, and it is suitable for most environments.

Related articles