I manage the network in a small office (SW dev is my "real job"), and there are a couple of users who beat the hell out of our internet connection by running bittorrent. Between the almost crippling effect on the upload side (20Mbps) and the potential liability, I want to shut this down as much as possible.
Some quick details in anticipation of questions or suggestions:
-
we have 2 routers (1 Linksys, 1 Buffalo) running the latest DD-WRT, and one D-Link DIR-655 running whatever the latest factory software is
-
internet is FiOS 20/20 plan
-
users connect via WiFi & wired, everyone uses DHCP
-
acquiring new hardware (let's say < $1000) that really does the trick reliably is an option
-
we have an internet usage policy in place, yes, but I want to enforce it as much as possible via IT because we all know that some people just can't follow the rules. Yes I know that dealing with this is a social issue, but this part is out of my authority/control.
-
the common strategies (completely block access by MAC / IP, block ports, etc..) won't work. At least 2 of the people routinely re-program the MAC addresses on their Ethernet interfaces.
I understand that BT clients can be configured to use other ports, so just blocking the standard BT port range is weaksauce.
I can't believe I'm the first person to skin this cat. Or maybe only IT depts. with large equipment budgets can skin this cat?
Thanks for your help!
Best Answer
You're right, it really is a social problem that needs to be addressed by management. If certain people are impacting the network to the point that it's causing problems for others, then they need to be dealt with and explained what the consequences will be if they keep it up. Reprogramming the MAC addresses on their NICs? If they have no legitimate need to be doing that then you might consider locking down your wifi router and network switches to only accept connections from certain MAC addresses. If they change it, they can't get on the network, and suddenly MAC address filtering/limiting becomes a possibility at the border router.
Traffic shaping for non-standard ports can also be employed to reduce the amount of available bandwidth for all ports except the standard http, ftp, smtp, etc. Turning down the amount of bandwidth available for non-standard applications makes them a lot less desirable.
Another option at your border router/firewall is to only allow certain ports for outbound traffic, limited to standard ports. This may or may not be practical given your environment.