Configuration Library
Configuration Library

SRX IDP - Block Bittorrents

‎12-15-2010 06:39 PM

Title:  SRX IDP - Block Bittorrents

Product: SRX

Version: Tested with 10.1R3.7, Attack DB 1819, Detector 10.4.160100823

Network Topology: Bittorrent Client (LAN) ---> SRX ----> Internet

Description: this documents how to apply an IDP license, update the attack DB and apply a configuration that will block Bittorrent downloads, as well as a few other related security concerns with this type of P2P application.

Prerequisites:
    - Install the IDP license
    - Download and install the Signature Database
    - Additional instructions: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16489

Configuration:

/Configure a Policy that sends the traffic to the IDP engine.

from-zone trust to-zone untrust {
    policy trust-to-untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    idp;
                }
            }
        }
    }
}

/Configure an IDP rule-base that drops Bittorrent traffic.  In the example below, we use predefined P2P sigs, as well as a few other recommended sigs for this type of traffic.

idp {
    idp-policy srx210-vc {
        rulebase-ips {
            rule 1 {
                match {
                    from-zone trust;
                    source-address any;
                    to-zone untrust;
                    destination-address any;
                    application default;
                    attacks {
                        predefined-attacks [ P2P:BITTORRENTSmiley Very HappyOT-TORRENT P2P:BITTORRENTSmiley Very HappyHT P2P:BITTORRENT:HANDSHAKE P2P:BITTORRENT:TRACKER-QUERY P2P:BITTORRENT:BT-TRACKER-DOS P2P:BITTORRENT:TRACKER-SCRAPE P2P:BITTORRENT:CONTENT-TYPE HTTPSmiley FrustratedTC:BT:CLIENT-VULN P2P:BITTORRENT:BITCOMET-CHUNK ];
                    }                   
                }
                then {
                    action {
                        drop-packet;
                    }
                    ip-action {
                        ip-close;
                        target service;
                        timeout 120;
                    }
                    notification {
                        log-attacks {
                            alert;
                        }
                    }


John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.