SummaryWhen using a QNAP NAS storage system on the network, and the associated Download Station application, it is possible to start seeing Bittorrent traffic going through the Exinda from this QNAP NAS, due to a misclassification
OverviewQNAP is a maker of NAS devices and the associated software that will ensure that it can be utilized over a network of devices. One such application is the Download Station, which allows for the download of files on the QNAP NAS over the internet through a myriad of different protocols, including HTTPS, Bittorrent and Magnet Link. Once the setting is enabled on the NAS, and the application is utilized, it is able to create a connection to the NAS in context.
An Exinda that is monitoring traffic in this scenario will see Bittorrent traffic being sent after Download Station is enabled. Even when it is disabled, the IP address that belongs to the QNAP will still be sending traffic that is being classified as Bittorrent.
CauseThis is not a misclassification. Once the Download Station is enabled on the QNAP NAS, the appliance begins broadcasting traffic over UDP port 6881. This is a well known port for a service that belongs to part of some implementations of Bittorrent, known as the Distributed Hash Table (DHT). A DHT is used in distributed systems (not just Bittorrent) when trying to keep track of data that is distributed over many hosts. It is similar to a local hash table, but in use over a network. This is how protocols such as Bittorrent and other P2P implementations supply information about which peers have which data to transmit.
In this case, it is believed that enabling Download Station, which has the ability to use Bittorrent and other P2P protocols, gets the QNAP appliance to create and transmit a DHT over the internal network. This is done through, as mentioned, the DHT port of 6881. This itself is not harmful traffic, and though it is classified as Bittorrent, as that is where it is mainly used, it is not indicative of misuse of network resources.
ResolutionThe Exinda classifies it as Bittorrent, but it does not inherently apply to any policies that involve the 'Bittorrent' application or the 'P2P' application group. As a result, choking or discarding Bittorrent or P2P traffic will not work on this DHT, and it will be falling into a 'Catch all' policy if one is defined, or the Auto Catch All if one is not.
In order to choke/discard this traffic, the easiest solution would be to create a custom application and add it to the P2P application group if a policy is already set up to discard it:
1. Create a custom application by going to Configuration > Objects > Applications, and filling out the form.
- Give it a name such as 'DHT'
- Leave the Network Object, DSCP and L7 Signature fields blank
- Under 'Ports/Protocols', ensure the dropdown box is set to 'UDP Port/Range' and type in 6881
- Create the application
3. On one of the blank dropdown boxes, find the custom application. Click 'Save'.
4. If a policy is already set up to throttle or discard P2P traffic, save the configuration and restart the optimizer. If not:
- Create a policy
- Ensure that the Action is set to either Optimize (with a guaranteed bandwidth of 1kbps and a max burst bandwidth of 3kbps) or Discard
- Under the Filter Rules, create a rule that looks like the following:
- VLAN: All
- Source: All
- Direction: Both
- Destination: All
- ToS/DSCP: All
- Application: P2P
- Create the rule, save the configuration and restart the optimizer.