NetFlow: Monitoring BitTorrent Traffic
March 12, 2016
Monitoring BitTorrent traffic can be very difficult for Security Admins. BitTorrent traffic can expose your organization to viruses, illegal downloads and copyright infringements. Although it’s difficult to detect and analyze BitTorrent connections flowing through your networks, you can use NetFlow to identify some common BitTorrent ports.
The most common BitTorrent ports are TCP 6881-6889 and port 6969 which is often used to connect to the tracker.
You can correlate the systems connecting to external IP addresses on these ports with the number of connections made. BitTorrent traffic will commonly reach out to over 100 external hosts which help quickly identify this type of traffic.