Skip to content
Oct 28 / Greg

Using Mikrotik to Block Bit Torrent

The bane of most ISPs is Peer to Peer traffic(p2p). If you run hotels or apartments, especially apartments full of students, p2p will be your main source of issues. In some cases, extreme measure must be taken. So how does one go about taking back their network? The first thing to do is to find the offending traffic.

Mikrotik has some built in matching functionality for p2p traffic. You can use this in mangle rules or firewall rules. In mangle, you can mark the packets and then lower their precedence, or stick them in a smaller queue. In the firewall, you can block them all together.

Notice the many matches

Notice the many matches

Here’s the rub, bit torrent traffic is almost universally encrypted, so these matching methods will generally not do you too much good. These matches must inspect the packets, and when encrypted they look like so much junk. So what do you do now?

You drop it like you are Fox and bit torrent is “Are you smarter than a fifth grader?”, “Do not disturb”, “Don’t forget the lyrics”, “Hole in the wall”, “MADtv”, “osborns reloaded”, “Prison Break”, “Secret millionaire”, “Sit down, shutup” or “Terminator”. So how do we drop it? I do it in the following ways.

First, we block people from finding torrents :) Using MTKs layer 7 inspection(L7), we match http get requests for bit torrent sites and related sites. Here’s my regex:

1
^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$

Here’s the CLI code you can simply paste:

1
2
/ip firewall layer7-protocol
add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$"

This regex matches most of the popular torrent sites. You will notice that the word torrent is also there. If you go to google and type torrent, it will match the get request…what! hehehe. This means that even if they try to google for a torrent it will get matched. So now we put in a firewall rule to block with this L7.

1
2
3
/ip firewall filter
add action=drop chain=forward comment="block torrent wwws" disabled=no layer7-protocol=\
    torrent-wwws

From the GUI, you set chain to forward and under the advanced you choose the L7:
fw-wwws

As you can see, on the forward chain, I added the L7 torrent-wwws, which was defined earlier. This means anyone trying to browse to any of our specified bit torrent sites will get blocked. Also if their client tries to hit the tracker with a get request, it gets stopped too. Now, just to put a bow on top, lets be a little more devious! Lets block DNS queries based on the same regex.

Here’s the new regex:

1
^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$

Here’s the code to copy and paste in the CLI:

1
2
/ip firewall layer7-protocol
add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"

Here’s the firewall rule to block:

1
2
3
/ip firewall filter
add action=drop chain=forward comment="block torrent dns" disabled=no dst-port=53 \
    layer7-protocol=torrent-dns protocol=udp

Notice that I’m blocking UDP to port 53, so this will drop all DNS queries to our torrent list above. :) This way, if they are using a web proxy, they will still get blocked! If their client tries to do any resolution matching this good stuff, it will get blocked too.

Using the above method to block along with the standard p2p matching, it looks like you can save around 25% – 50% utilization on traffic. Though, what will the kids do when they can’t download their pornography and movies…I think the internet has no other use?

*Edit* It appears as if Blizzard, makers of WoW, are now only allowing updates via BitTorrent. I’ve written a little exclusion for this that can be found here.

45 Comments

leave a comment
  1. Jimmy / Oct 28 2009

    So you don’t like people buying art paintings?

    http://www.1st-art-gallery.com/Henri-Joseph-Harpignies/A-Rocky-Landscape-With-A-Torrent-Of-Water.html

    As that regex above would match that url also ;p

  2. Greg / Oct 28 2009

    Jimmy :
    So you don’t like people buying art paintings?

    http://www.1st-art-gallery.com/Henri-Joseph-Harpignies/A-Rocky-Landscape-With-A-Torrent-Of-Water.html

    As that regex above would match that url also ;p

    I detest the arts, and all those that like them!

  3. N.R. / Dec 10 2009

    Pure evil! MikroTik downloads will also get blocked, and all the Linux distribution downloads :)

  4. Greg / Dec 10 2009

    N.R. :
    Pure evil! MikroTik downloads will also get blocked, and all the Linux distribution downloads :)

    Anything legitimate that can be had via bit torrent can also be had via other methods like direct download. ;)

    Trust me, I’ve had this conversation several times. :P

  5. Josh / Jan 18 2010

    What if you don’t want to block them all, but limit the amount of connections that a single user can have open at a time to say 300? Also, the P2P list doesn’t include programs such as Limewire, Frostwire, Vuse… etc. What about those?

    We are an ISP and when we turned off ALL P2P traffic, everyone was calling and acting like the whole internet was useless now, so we gave in and allowed the traffic again.

    Thanks!

  6. Greg / Jan 18 2010

    Josh,

    Thanks for the question. To control this stuff, you really want a multi threaded attack. Give precedence to the important traffic, then give best effort to everything else. You can help identify P2P with connection rate, connection limit and connection bytes.

  7. Greg / Mar 30 2010

    NP :)

  8. Marcel / Apr 21 2010

    Please pardon me, I’m entirely new to this device, where will you put in these codes? We are using Winbox to connect to the router…

  9. Torrent Search / Apr 21 2010

    Hi Greg,

    good article but i guess that most of the current user want to share their files and therefore are not willing to close their ports.

    Regards,
    Marc

  10. Greg / Apr 22 2010

    In winbox click new terminal.

  11. Jacques / May 13 2010

    Great advise! Works like a charm. Is there more p2p blocking rules or does these cover most or all of it?

    Regards,

    Jacques

  12. Greg / May 13 2010

    Jacques,

    This is for BT only, but you can use the standard P2P block built into MTK to alleviate some of the others.

  13. bofh / May 30 2010

    Even though the BT detection on the router is going to be problematic, all BT connections have some degree of leakage.

    If you use the p2p detection to mark the packet, then use the next marked packet to add the source ip to an address list, the use the address list to either drop the traffic, or qos it to 1 bps up/down, you can be really brutal to p2p users.

    I’ve used this strategy with a brand new install of utorrent, encryption required, no unencrypted incoming, drop a torrent in and watch the connection die.

    Some people may think this is too draconian, but I operate open AP’s for public use, and have too many users running BT unencrypted and causing me to have to deal with dmca letters.

  14. Greg / Jun 1 2010

    Robert,

    This method would be great for public access hotspots and the like. These guys have no expectations on quality. If you are running an apartment complex, though you can’t limit their entire connection down to 1up/down…half the complex would be submitting trouble tickets about slow connectivity :P

  15. di9383 / Jun 2 2010

    Well, this rules are not working for me. I use Mikrotik 3.20, rules have been added as shown in this topic and nothing happens. I type “torrent” in Google and get a lot of results as before. I use transparent proxy if it’s important.

  16. Greg / Jun 2 2010

    Would you mind providing more detail on your configuration (what port is inside, what is outside, what subnets you are using)?

  17. di9383 / Jun 3 2010

    I use transparrent proxy. All connections comming to port 80 go to proxy port 3128. All other kind of traffic goes directly through the router. I’m using 1 subnet with private adresses 192.168.0.0/24.

  18. Greg / Jun 4 2010

    di,

    It looks like the input chain is before the forward chain. What this means is that it will enter your proxy server before it goes through the forward chain, and thus will not hit the firewall drop rule. You could try adding the drop rule to the input chain instead.

  19. di9383 / Jun 4 2010

    Greg,

    you were right! I forgot, that NAT redirect rule works before the firewall rules. And first of all I get all the packages comming to port 80 redirected to port 3128 and when firewall rules begin to work this packages seems to be going not forward but input for the router. So, after changing chain to input first part of you topic (torrent-wwws) began to work. Thank you!
    But I have some questions about the second part – blocking DNS requests. It’s not working for me at all. As I understood, we need this rule to stop requesting torrent sites, for example, using web anonymizers. So, using this rule in forward (I suppose, I should use forward chain because this is not tcp trafic on port 80 which is being redirected by NAT rule) neither using it in input chain doesn’t give any result for me:( Packet counter for this filter rule just shows zero in status…May be you know what the problem is about? Thanks in advance.

  20. di9383 / Jun 4 2010

    Greg, I apologize, you don’t have to answer my previous question. Everything is working, I just forgot to clear the local DNS server cache, so it looked like DNS rule isn’t working. After cleaning it everything become all right. Rule is working.
    Thanks a lot!

  21. Greg / Jun 4 2010

    di,

    Great, I’m glad it’s working. :) I’m always glad to fix a mysterious issue…it’s like magic, only without being mauled by white tigers.

  22. di9383 / Jun 4 2010

    Greg, one more question. As I understood, those rules don’t work if user goes to torrent site useng web anonymizer, for example, this one

    http://anonymouse.org/anonwww.html

    I thought you told, that DNS resolving rule won’t give user to resolve the name into IP using anonymizers. Or I am mistaken?

  23. Greg / Jun 4 2010

    That’s correct sir. It should block them from hitting domains that are in the regex list or contain torrent. If they hit a domain that isn’t matched by that list AND they use an anonymizer, then they will get through.

  24. di9383 / Jun 5 2010

    Yes, but I’m testing this on a domain that IS in a regex list. And DNS name isn’t being resolved if I don’t use anonymizer, so the rule works correct. And resolved if not, so the rule seems not to work in this case.

  25. Greg / Jun 7 2010

    Bah…looks like it is proxying the DNS traffic as well. Try two firewall rules for the DNS block, one on input and one on forward.

  26. thefixer / Mar 19 2011

    you fail hard bro, this doesnt work at all, what version of RouterOS are you using?

  27. Greg / Mar 19 2011

    @thefixer
    I do indeed fail hard my good man. I’ve tested this in 3.X and 4.X. This doesn’t specifically block the bit torrent client, rather it tries to block access to torrent resources, which will foil the average user. With the advent of encrypted clients, the days of application inspection are all but over. This traffic does have something of a pattern, though. I have no doubt someone far more clever than I and with more time could create some sort of reactive ROS script.

    Also remember that in this example, I’m applying it to the forward chain. If you are proxing traffic, web or DNS, you will need to also apply this to the input chain.

    I’d also like to say that it isn’t very frequent I get a celebrity on the site...I googled you. Wacky wild stuff there.

  28. raza / May 10 2011

    block all torrent websites with proxy also block path *.torrent file

    it is best way to block torrents
    [[[[ There are no other way to block p2p site ]]]]
    dont waste ur time

  29. Greg / May 10 2011

    @raza
    The L7 should pick up http gets that include *.torrent.

  30. thefixer / May 10 2011

    wow my lame ego just got a nice fluff, lol, not so sure its a good thing, but since your apparently an intelligent individual, and seemingly impervious to my attempt to grief you. I will say thank you for sharing this, all my traffic also goes through a transparent squid cache machine that is also a dhcp server/firewall for my lan, but it gets inet piped from a mikrotik client/router first. Honestly, its a crappy old Rb112 and sometimes doesnt take firewall rules the first time, I didnt spend a lot of time with it, and frankly sorry for being a douchebag. I had just google this article and found it, since firewall configuration on mikrotik isnt my expertise, client side and pop wifi configs ARE, none the less, thank you for sharing your work.

    haxradio.com <—shameless plug, enjoy our new project

  31. Theodore / Jan 12 2012

    hello, thank you for you code!
    it’s working fine and it’s more than useful!
    but why isn’t it blocking https?
    for example it works fine when blocking http://thepiratebay.org/ but it fails with https://thepiratebay.org/

    waiting for your reply!

  32. Greg / Jan 14 2012

    @Theodore
    The unfortunate part is that the https session will be encrypted and thus we can’t see inside the packets. You could have the L7 firewall rule add the dst address to an address list. Then create an additional rule that will block based on that address list.

  33. Lyndon / May 15 2012

    Code’s working awesome! Been using for a while. I had a question, though, I believe Blizzard has done it again with Diablo III that came out this morning.

    Do you know what regex I would use in another L7 exclusion?

  34. Greg / May 15 2012

    @Lyndon
    If you can provide me with a wireshark capture as described in the wow exclusion, I’ll be happy to make one for you.

  35. Lyndon / May 17 2012

    http://i23.photobucket.com/albums/b384/FlameFireXxX/Capture.gif

    There’s my capture!

    As a wild stab in the not-so-dark, could it be done by modifying the current script and instead of using “wow” use “worldofwarcraft”?

  36. Greg / May 17 2012

    @Lyndon
    That would work in this situation :)

  37. Tommy / May 21 2012

    Any update for this? We are getting goobers that cannot download the update for this dumb game.

  38. Lyndon / May 28 2012

    Just thought I’d give an update, there was quite a few different HTTP requests that Diablo III uses, and it was quite cumbersome to locate most of them and try and find a common regex. What I ended up doing was just removing “torrent” from the HTTP request filter and it works good now, for both Diablo and World of Warcraft (without regular exclusion). People still can’t DNS request “torrent”, and we still haven’t seen anyone running torrents, so we’re all happy here.

  39. John Martin / Aug 6 2012

    Hi,
    Thanx for a great guide!

    I have some tenants that have internet thru my Microtik router. They have their own router connected to mine via cable on the 2. ethernet port.

    But I do not want to block my computer that is also connected with cable to the 1. ethernet port.

    How can I block them for using torrents and not me?
    Can I use this procedure?
    I’m new to Microtik and linux, so I’m not so familiar to all the commands and how everything works :-)

  40. Greg / Aug 6 2012

    @John,

    Try putting the customer router connected to port 2 on a different subnet. Then have the policy apply on that that customer’s subnet.

  41. John Martin / Aug 6 2012

    Thanx for for the reply.

    I think they already are on to different subnet. Because they can’t see us, and I can’t see them.
    My/our ip is 192.168.1.xx/24
    And my tenants is 192.168.2.xx/24

    If I’m right, and we already are on two different subnet, how do I only apply the policy to 1 subnet? :-)
    I tried to add: in-interface=owner to the code, like this: /ip firewall filter
    add action=drop chain=forward comment=”block torrent dns” disabled=no in-interface=owner dst-port=53 layer7-protocol=torrent-dns protocol=udp

    Just to be able to check if it work before adding the policy to my tentants, but did not get it to work. Was still able to enter the mentioned torrent sites.

    Any ideas?

  42. Greg / Aug 6 2012

    @John

    Instead of interface use src-address=192.168.2.0/24.

  43. John Martin / Aug 6 2012

    Hmm.. I really have no idea why this is not working. Deleted everything, and started over. But the filter do not work..?

    Even if I use the code to wrote and if I add src-address=192.168.1.0/24 (my subnet, for testing)
    Does this still work on the new MikroTik RouterOS 5.19?

  44. Greg / Aug 6 2012

    @John,

    I’ve not tested, but it should still function.

Trackbacks and Pingbacks

  1. Voip - Telefonia Internetowa
Leave a Comment

*