Traffic Analysis: P2P Found 92% of the Time

Matt Keil


Category: Firewall

The most recent discovery of the first lady’s safe house (Laura Bush) and a detailed list of the civilian nuclear complex, including precise locations of weapons grade nuclear fuel follows closely on the heals of previous P2P discoveries of Marine One blueprints and healthcare records.

Should we really be surprised? No not really, given the findings form the latest Application Usage and Risk Report:

* An average of six P2P variants were found in 9 out of 10 organizations.
* In one extreme case, 17 P2P variants were found.
* The most common P2P applications found were BitTorrent and Gnutella – both at 68%
* Bandwidth consumed was a whopping 2.3 terabytes, or 5% of the total bandwidth viewed across the participating enterprises.

he most commonly detected P2P-based file sharing applications found across the 63 participating organizations.
The most commonly detected P2P-based file sharing applications found across the 63 participating organizations.

The logical question is: why can’t enterprises stop P2P usage? There are several reason why.

The first reason is that employees are using what ever application they want. And in the case of P2P, the enterprise networks are typically far faster than home networks so why not take advantage of the connection speeds.

Dovetailing nicely into the high speed network access is the ability to get music, movies, software, and many things for free. Copy right laws are easily ignored when the latest movie, only seen in theatres, can be downloaded for free.

Possibly the most significant reason that IT cannot stop P2P is the plain fact that P2P applications use a variety of techniques to pass through the existing security infrastructures. Common techniques include port hopping and masquerading as HTTP. And as security administrators developed ad hoc techniques to detect these applications, P2P developers modified the application to use proprietary encryption as a means of bypassing the firewall, and signature based detection mechanisms. For example, uTorrent, the official BitTorrent client, uses proprietary encryption to evade detection.

Can Palo Alto Networks next-generation firewalls help?

We think we can. We can identify and control more than 40 P2P networks including BitTorrent, eMule, and LimeWire with more added as they are released to market. See the entire list here. Our customers are using our next generation firewall to reign in the use of these applications – blocking use for others while enabling controlled use for some (like engineers who need Linux distributions). Want to learn more? Check out the whitepaper on controlling P2P.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS