Strange Traffic Patterns on MPLS Network

Curiosityx · 6 Feb 2009 at 14:28

Greetings, we implemented an MPLS network for a customer several months ago for 6 sites, ever since the implementation i have noticed increased usage on all the circuits.

Ive fired up Nbar on one of the CPE routers and noticed that "Winmx" traffic on TCP Port 6699 was being flagged, ok so naturally i thought it could be P2P.

I applied an access list on the LAN facing interface blocking TCP Port 6699 both inbound and outbound but it doesnt match any traffic.

Ive checked the Nbar port-map which is set correctly to TCP Port 6699, could it be the case that P2P traffic is being tunneled using HTTP or is there something else a miss?

Regards

garyh · 6 Feb 2009 at 21:53

Peer-to-peer applications such as this are usually not port-dependant on their operation. I’d not be surprised if the end-user had simply cottoned on to the block and adjusted the application listener settings appropriately.

Surely you have some internal source IP addresses to work with? I’d have thought that rather than trying to implement some layer7 type filtering (stressing out the border router) to completely block this type of traffic, you could nail it down to a specific workstation and deal with the user direct?

If you do want to simply go down the block method, you mention NBAR – have you setup a NBAR class-map to deal with WinMX traffic inspection, or have you simply blocked those ports via an extended ACL?

If you are looking into the later rather than deep packet inspection using NBAR, then I think you would be better blocking the entire subnets of the WinMX core network – these are

209.61.186.0/24
64.49.201.0/24

Blocking these ranges will mean that the application can’t talk to the hub and it will be rendered useless.

Hope this helps.

Curiosityx · 6 Feb 2009 at 22:04

Cheers for the reply, indeed i have tried applying a class map to one of the interfaces which does successfully match winmx traffic although all im doing at present is marking it marked down to dscp 0 rather than dropping it at present.

The source addresses appear to be comming from the majority of the machines across all sites which makes me a little concerned as it could be a valid applications using the above either as a source or destination port.

Ill try the two ranges below first and see if i get any matches against them, the other option i havent yet tried is using the Winmx PDLM's from Cisco.com

garyh · 6 Feb 2009 at 22:18

If the source ranges are indeed in bulk, then you could be correct with assuming it is legitimate traffic. Likewise however, it could perhaps be malware masquerading on that port that has infected the entire network.

Another option of course is to setup a SPAN port and inspect the traffic for a while to see if you can notice any requests for malicious files etc if you had the time.

Try the ACL for the hubs first, if you get hits to that you know that it's definately WinMX traffic.