We have been frequently asked to control a WISPs backhaul from excessive usage by a minority of their clients, which then in turn spoil the experience for the majority. In one case, a provider had a 200Mbps leased line and it was 100% saturated with Bit Torrent and Binary UUNet News downloading. Possibly to drive the point home about how bad things had become, their Tech guy was calling me on one of their VOIP phones which kept dropping out. Once we looked at his config on his Mikrotik Router, we could quickly see why.
They had a few hundred customers but it was only a few of those clients that were establishing tens of thousands of connections to Bit Torrent hosts and eating up all the available bandwidth. We did suggest they could contact those clients and explain to them the meaning of ‘fair use’ but they were looking for a more technical solution where they could have as much bandwidth as they wanted as long as other services were not affected.
We advised the client that what they therefore needed was a prioritised service. Make VOIP calls and Network traffic (eg routing protocols, ICMP) higher priority, http web surfing medium priority, then emails, ftp and finally, at the very bottom, have all the Bit Torrent and NNTP traffic at the very lowest priority of all.
We arranged this by the use of the Mikrotik’s Queue Trees and implementing some PCQ Queue Types. PCQ or Per Connection Queuing allows for some pretty clever tricks. It can allow any one connection to only have x amount of bandwidth, this can be set to be very low for Bit Torrent traffic and other unidentified traffic. In turn, the Queue itself can also have settings that allow all the users to have a maximum limit on how much bandwidth that category of traffic can pull, plus one can set priorities so that one protocol has precedence over another.
We also installed some time scheduled scripts to switch between two settings for the ‘garbage’ queue that carried all the unidentified traffic, such as Bit Torrent. In this way the client base had a limited amount of bandwidth at peak hours, but once the network usually went quiet (in this case between 0100 and 0600) a different setting was enabled that opened the flood gates for the ‘garbage’ while still however prioritising the VOIP and gaming traffic.
It has been often said that it is impossible to identify Bit Torrent traffic. This is partially correct, the best answer would actually be ‘it’s hard’ to identify what is Bit Torrent Traffic. But it’s not impossible. We have perfected a technique that is actually childishly simple. Instead of trying to detect what is Bit Torrent traffic, detect what isn’t. In the words of Sherlock Holmes,“Once you have eliminated the impossible then whatever remains, however improbable, must be the answer.”
Therefore by detecting all the good traffic, anything that remains must be bad traffic. We do this by a combination of Firewall mangle rules that rely on detecting the IP addresses, protocols and ports used and also on Layer7 filtering. Some of the Layer7 filters were developed in house after extensive usage of Wireshark!
So, what of our customer with the 200Mbps 100% saturated link? His clients can now make perfectly clear phone calls and the total network usage has dropped from 200Mbps to an average of half of that. Also, the gamers in their network can still experience low latency and obtain an excellent game, even during the night when the Bit Torrents are running full speed
Here is an example from a typical weekday’s usage: