C3.3 Detecting P2P activity

Detecting P2P activity on the network can prove to be challenging. It is possible to detect P2P software running on your network by:

• Monitoring traffic for common ports used by P2P software works with some well known older programs. However, some programs have moved on to using http, https and other ports that commonly need to be passed through firewalls and proxies.


• Application layer monitoring for P2P protocols can identify programs that use commonly allowed ports (53, 80). However, it fails when more malicious programs encrypt the payload.


• Some host based intrusion prevention software and system change auditing tools can prevent the installation or execution of P2P applications along with other malware.


• Pattern matching / behavioral Intrusion Detection systems can identify potential P2P members. Patterns observed include frequency, timing and size of communication bursts.


• Scanning network and PC storage for content commonly downloaded by P2P users, including *.mp3, *.wma, *.avi, *.mpg, *.mpeg, *.jpg, *.gif, *.zip, *.torrent, and *.exe.


• Changes in network performance may indicate exploding P2P usage, or malware infections.


• Some Firewalls and Intrusion Detection/Prevention products combine detection techniques to detect/prevent P2P traffic from entering or leaving the network.


• For Microsoft Windows machines, SMS can be used to scan for executables that are installed on workstations. Furthermore, administrators should limit permissions in order to prevent users from installing such software on their workstations.


• Compromised systems that have malware installed via P2P file sharing will display the same symptoms seen when other means of malware distribution are successful.

C3.4 How to Protect against P2P Software Vulnerabilities

• Standard users should not be permitted to install software. Restrict Administrative and Power User level privileges to support personnel acting in their support capacity. If a user must have Administrative or Power User privileges, create a separate account to be used for his/her daily office functions, internet surfing and on-line communication.


• Use tools such as Microsoft DropMyRights for securing Web browsers and mail clients.


• In Active Directory environments, Software Restriction Group Policies can be used in order to block known types of binaries from execution.


• Educate users about P2P networks, the dangers of file sharing and company policy.


• Turn on Egress filtering to restrict any ports not required for business purposes, although as more P2P applications move to http and encryption, this will prove less effective.


• Monitor firewall and IDS logs.


• To reduce malware infections which can be spread through numerous applications, use enterprise-wide anti-virus and antispyware products and ensure that updates are performed daily.


• Use host-based firewalls in addition to perimeter firewalls. Windows XP and Windows 2003 include Windows firewall, which provides adequate protection if properly configured. A variety of third-party host based firewalls (ZoneAlarm, Sygate, Outpost) provide additional functionality and flexibility. Windows 2000, XP and 2003 systems can use IPSec policies in order to provide port filtering of unnecessary network traffic over VPN. In Active Directory environments, IPSec policies and Windows Firewall configuration (for Windows XP SP2 and Windows 2003 SP1) can be managed centrally through Group Policies.


• Disable the Simple File Sharing feature of Windows XP if not explicitly required. [Start - Settings -Control Panel - Folder Options - Tab View - Disable (uncheck) setting Use Simple File Sharing - Apply - OK. ]


• Monitor systems for presence of unknown executables and unauthorized modification of system files. Software products like Tripwire or AIDE (there are commercial and open source versions of the product) can be used to detect changes in files.


• Samba-based shares can be configured to run a filter upon opening or saving of files. A filetype detector and alerting system could prove useful to avoid misusage of shares.