A Methodology for P2P File-Sharing Traffic Detection ∗ Angelo Spognardi,† Alessandro Lucarelli, Roberto Di Pietro Universita` di Roma “La Sapienza” Dipartimento di Informatica Via Salaria, 113, 00198-Roma, Italy {spognardi, dipietro}@di.uniroma1.it, ale [email protected] Abstract centralized and decentralized P2P protocols, as well as the characterization of encrypted traffic, and highlight a new Since the widespread adoption of peer-to-peer (P2P) research direction in the identification of P2P traffic. networking during the late ’90s, P2P applications have multiplied. Their diffusion and adoption are witnessed by the fact that P2P traffic accounts for a significant fraction 1 Introduction of Internet traffic. Further, there are concerns regarding the use of these applications, for instance when they are P2P networking can be seen as a network of computers employed to share copyright protected material. Hence, in that does not use client/server paradigm but is based on the many situations there would be many reasons to detect P2P notion of peers. Peers may differ in processing capabilities, traffic. In the late ’90s, P2P traffic was easily recognizable connection speed, local network configuration or operating since P2P protocols used application-specific TCP or UDP systems. P2P networks can offer the functionalities required port numbers. However, P2P applications were quickly em- to implement a generic application as in [3, 12]. Lack of powered with the ability to use arbitrary ports in an attempt centralized authorities in P2P networks reflects in a totally to go undetected. Nowadays, P2P applications explicitly distributed configuration of directly connected peers. Some try to camouflage the originated traffic in an attempt to go P2P networks also have a small set of special nodes, known undetected. as super nodes [9, 8] that usually perform some special Despite the presence of rules to detect P2P traffic, no tasks, such as queries handling, typically requiring major methodology exists to extract them from applications with- resources availability. One common application of P2P net- out the use of reverse engineering. In this paper we develop works can be identified as file sharing among users. Down- a methodology to detect P2P traffic. It is based on the anal- load operations typically involve two phases: ysis of the protocol used by a P2P application, extraction of specific patterns unique to the protocol, coding of such Signaling phase: a peer searches for the content and de- a pattern in rules to be fed to an Intrusion Detection Sys- termines which peers are eligible to provide the de- tem (IDS), and validation of the pattern via network traffic sired content. In many protocols this phase does not monitoring with SNORT (an open source IDS) fed with the involve any direct communication with the peer which devised rules. In particular, we present a characterization will eventually provide the content. of P2P traffic originated by the OpenNap and WPN proto- Download phase: The requester contacts one or multiple cols (implemented in the WinMx application) and FastTrack peers among the eligible ones to directly download the protocol (used by KaZaA) obtained using our methodology, desired content. that shows the viability of our proposal. Finally, we con- clude the paper exposing our undergoing efforts in the ex- Detecting P2P file sharing traffic can be required in sev- tension of the methodology to exploit differences between eral contexts. For instance, in an enterprise network ad- ministrators would like to provide a degraded service (via ∗This work was partially funded by the PRIN 2003 Web-based Man- rate-limiting, service differentiation, blocking) to P2P traf- agement and Representation of Spatial and Geographic Data project, sup- fic to ensure good performance for enterprise critical appli- ported by the Italian MIUR and by the WEB-MINDS project supported by cations, and/or enforce corporate rules regulating the P2P the Italian MIUR under the FIRB program. Roberto Di Pietro is also with CNR-ISTI, WNLab-Pisa. Angelo Spognardi is the contact author. usage [17]. Broadband ISPs would like to limit the P2P traf- †Authors are in reverse alphabetical order fic to limit the cost they are charged by upstream ISPs. All Proceedings of the 2005 Second International Workshop on Hot Topics in Peer-to-Peer Systems (HOT-P2P'05) 0-7695-2417-6/05 $20.00 © 2005 IEEE 0-7695-2426-5/05 $20.00 © 2005 IEEE Authorized licensed use limited to: Universita degli Studi di Roma La Sapienza. Downloaded on July 15, 2009 at 13:29 from IEEE Xplore. Restrictions apply. these activities require the capability to accurately identify OpenNap, WPN and FastTrack protocols, run by the WinMx P2P network traffic. Further, identification of the users per- and KaZaA applications. In this section we also report the forming file sharing inside a network can be useful to sup- rules for the SNORT IDS to catch the protocols signatures port forensics investigations. However, application identifi- patterns. Section 5 reports our conclusion and a few re- cation inside IP networks, in general, can be difficult. First- search directions. generation P2P applications used well-defined port numbers to send file sharing traffic, hence the identification of P2P 2 Related work traffic was a relatively easy task. In response to this, P2P applications acquired the capability to utilize any port num- ber. Furthermore, recent P2P networks tend to intention- Early research on P2P traffic characterization were based ally camouflage their generated traffic [11] to circumvent on the addressing of default network ports [18],[16]. Re- both filtering firewalls as well as possible legal litigation. cent work [7], uses application signatures to characterize There are also some P2P applications that support encryp- the workload of KaZaA downloads, while in [17] signatures tion, while others adopt file fragmentation; these applica- for a wide range of P2P applications are provided. How- tions split the file to be sent into chunks, where each chunk ever, these studies do not provide evaluation of accuracy, is eventually sent by a different peer. scalability or robustness features of their signature, or lack There are some projects in the area of P2P traffic detec- to highlight the methodology adopted, or do not consider tion: the same SNORT project group proposes some rules some interesting protocols. Signature based traffic classifi- for the detection of P2P traffic and there exist some com- cation has been mainly performed in the context of network mercial applications (like p2pwatchdog [13]) that have the security such as intrusion and anomaly detection (e.g. [2], only purpose to catch and to monitor P2P traffic. However, [1]) where one typically seeks to find a signature for an at- neither the SNORT community nor the p2pwatchdog devel- tack. opers say how to write rules for all P2P file-sharing pro- In [19], [1], [10] research focuses on aggregated data grams; p2pwatchdog, furthermore, is neither open-source traffic to distinguish regular one from the one originated by nor free. What it is lacking, then, is a methodology to write P2P applications. These works provide a view of local P2P IDS rules for P2P traffic detection or, more in general, a usage, while in [18] is reported a complementary backbone flexible methodology to be able to identify any application- view, that is, the analysis of data gathered from a tier-1 In- specific traffic. ternet Service Provider. Our approach is similar to that reported in [4],[17] in the 1.1 Main Contributions and Road-map sense that as a final result we provide a set of signatures to identify P2P file sharing traffic. Our approach differentiates from [4],[17] in the sense that the methodology proposed is In this paper, we provide a methodology to identify P2P clearly depicted and combines both signature and intrusion traffic. The methodology is based on the following steps: detection techniques. analysis of the protocol of interest; identification of patterns specific to the P2P protocol that can be revealed by an IP packet level analysis; coding of these patterns in rules that 3 Methodology can be fed to an IDS; network monitoring of the identified patterns with an effective IDS fed with the devised rule. In this section we provide the methodology employed Note that following the IDS-like approach does not intro- to detect P2P file sharing traffic. Note that the proposed duce any delay in the network, while requiring only little methodology is general enough to be easily adopted to any overhead on the checking-point where it is installed. Fur- P2P file sharing protocol. To show its flexibility, we have ther, the proposed methodology is showed to be extensible applied the methodology to the following P2P protocols: to the analysis of P2P protocols that encrypt their gener- OpenNap, WPN and FastTrack Protocols. Once specific ated traffic as well and to efficiently leverage characteris- pattern for the protocol of interest have been find out, it is tics introduced by decentralized P2P file sharing applica- possible to feed any IDS with the appropriate rules to iden- tions. Our P2P traffic detection tool has been successfully tify such patterns. In our specific case, we have expressed deployed and is currently running in a corporate LAN. such pattern in terms of SNORT rules. Note that SNORT The remainder of this paper is organized as follows. Sec- is only one of the possible IDS: our choice was SNORT tion 2 reports related work in the field. Section 3 depicts because it is the most popular IDS, due of its history, be- the working hypothesis as well as the methodology to delve cause it is open source and also because its rules are easy with P2P traffic detection. Section 4 highlights the techni- to understand. Moreover, SNORT has a large community cal issues involved in identifying P2P traffic in real time of developers, it is extensible with plug-in and add-ons and inside the network.