Sunday, March 30, 2008

Direct Download Links/One Click Hosters - Detection by IPS

One click hosting has become very popular in recent past. Unlike P2P protocols such as BitTorrent, one click hosting providers host the entire file (video, audio or data) at one place and provide access to the files using normal browsers using HTTP. Their model is very simple. They let users to upload files. For each uploaded file, users are provided with the 'download link'. Users can put these download links in their website, blogs or forums. When others click on this download link, it takes them to the provider site. Two providers megaupload and rapidshare are very popular one click hosting providers. There are many sites providing this kind of service.

Another kind of sites are video hosting websites such as youtube. These sites allow users to upload videos and view existing videos. Please see this link to see some of video hosting sites. It appears that traditional P2P file sharing popularity is declining with these two kinds of sites.

Network security devices, specifically IPS functionality, have been providing P2P application detection and facility to block these applications or throttle the traffic from these applications, thereby saving precious bandwidth for Enterprise applications' traffic. With One-click-hosting sites and video sharing sites, these controls are becoming less effective. Network security devices need to change with current reality. Due to the usage of HTTP for downloading the video content, it is a challenge for network security devices to detect this traffic. That is where, signature based application detection comes in handy.

As an administrator, you should look for solution that offers:
  • Detection of hosting provider with no false positives.
  • Detection of hosting provider within first 2K byte of connection.
  • Ability to set the throttling parameters based on
    • hosting provider(s).
    • machine(s) accessing the hosting site.
    • Time of day
  • Ability to set throttling parameter such as
    • Bandwidth (bytes/sec or packets/sec).
IntruPro-IPS from Intoto provides following facilities:
  • Signatures to detect hosting providers. Each hosting provider is identified by 'Application ID' using signatures.
  • Signatures can be developed with HTTP protocol keywords. Hence detection can happen with zero false positives.
  • Traffic Enforcement rules with each rule containing
    • Source IP address(es)
    • Application ID(s)
    • Time of day and Day of week.
    • Action : Block Or throttle
    • Bandwidth in bytes/sec or pkts/sec
    • Flag to indicate whether to apply traffic throttling based on each source IP.

No comments: