SOHO - throttle bittorrent traffic from problem users
I manage the network in a small office (SW dev is my "real job"), and there are a couple of users who beat the hell out of our internet connection by running bittorrent. Between the almost crippling effect on the upload side (20Mbps) and the potential liability, I want to shut this down as much as possible.
Some quick details in anticipation of questions or suggestions:
we have 2 routers (1 Linksys, 1 Buffalo) running the latest DD-WRT, and one D-Link DIR-655 running whatever the latest factory software is
internet is FiOS 20/20 plan
users connect via WiFi & wired, everyone uses DHCP
acquiring new hardware (let's say < $1000) that really does the trick reliably is an option
we have an internet usage policy in place, yes, but I want to enforce it as much as possible via IT because we all know that some people just can't follow the rules. Yes I know that dealing with this is a social issue, but this part is out of my authority/control.
the common strategies (completely block access by MAC / IP, block ports, etc..) won't work. At least 2 of the people routinely re-program the MAC addresses on their Ethernet interfaces.
I understand that BT clients can be configured to use other ports, so just blocking the standard BT port range is weaksauce.
I can't believe I'm the first person to skin this cat. Or maybe only IT depts. with large equipment budgets can skin this cat?
Thanks for your help!
Solution 1:
You're right, it really is a social problem that needs to be addressed by management. If certain people are impacting the network to the point that it's causing problems for others, then they need to be dealt with and explained what the consequences will be if they keep it up. Reprogramming the MAC addresses on their NICs? If they have no legitimate need to be doing that then you might consider locking down your wifi router and network switches to only accept connections from certain MAC addresses. If they change it, they can't get on the network, and suddenly MAC address filtering/limiting becomes a possibility at the border router.
Traffic shaping for non-standard ports can also be employed to reduce the amount of available bandwidth for all ports except the standard http, ftp, smtp, etc. Turning down the amount of bandwidth available for non-standard applications makes them a lot less desirable.
Another option at your border router/firewall is to only allow certain ports for outbound traffic, limited to standard ports. This may or may not be practical given your environment.
Solution 2:
Enable QoS on your DD-WRT stuff as described here. Make all non-port-80/22/25/IMAP/POP traffic limited to some very small amount of bandwidth, and make even those ports limited to something reasonable like 2Mb/s or so.
Then go read BOFH for ideas about what to do to the offending users.
Solution 3:
If its a small office tell the employees to stop using bittorent or face disciplinary action, spending money/time on traffic shaping for a small office seems ridiculous... unless there are some extraordinary circumstances you haven't mentioned.
I am sure the manager of your office would want to know why their employees have time to setup bittorent, change their mac address, etc on company time...
Solution 4:
If you go for technical tricks and ignore the social aspect, the bad guys will try misc tricks to avoid the restrictions. If you'll implement something that marks and shapes bittorrent traffic, they'll start using encryption etc.
If you go only social and start yelling at the bad guys, you will become their enemy. Especially if this is not your main job there. They might think you're restricting them to please the boss for example. And working on a daily basis with people who hate you is sad.
A very effective approach that involves almost no violence is to monitor network usage. Set up something like mrtg and make the network usage graphs publicly available for anybody in the office. So as soon as somebody will complain about slow internet - send him there to look who's wasting the bandwidth.
This way you won't have to fight alone against bandwidth hogs. You won't even need to fight at all, the good users will eat the bad ones.
Solution 5:
If you don't have the authority to smack them on the wirst for it and the people that do aren't willing too, then you are pretty much out of luck. Yes there are technological ways to address this. It appears that at least some of your problem users are probably savvy enough to avoid pretty much any tech solution that you try though. Worse, for that sort of person you have now implicitly validated that it is ok for them to do (since there was no management response) as long as they do it in a way that avoids the roadblocks that you put up.