Monday, December 12, 2011

How to limit or control bandwidth usage by users in a small local area network

How do we block or limit the bandwidth utilisation of a single or handful of users who exploit the network by saturating the bandwidth with P2P traffic?

How can we do this using a PC and a redly available software tools in a shared home network environment with out raising any alarms, with out using elaborate QOS service policies, proxy servers, or Cisco Switches/Routers?

I googled a bit and none of the solutions mentioned in various sites didn’t address my particular need.
As I was able to see from various forums I have browsed, this is an issue many people come across in daily life and till date I have not seen a definite simple solution.

To this question what people normally suggest is listed below:
  1. Use of a  Cisco or a Linksys router/ switch that has built in Quality of Service (QOS) features.
  2. Modify existing home router with hacked Linux firmware that enables QOS.
  3. Use of a proxy server or a specially designed bandwidth controlling software running on a gateway.
And the list goes on…

Yes, it is nice if you have a router that can do all that but in a SOHO environment it might not be the way to go. And after some time offending users may adjust their usage to coexist with other and spending money on hardware or software solution, which only get used for few days/weeks, might not be the best way to go about.

None of these solutions are cost effective, easy to implement/use and some may require the modification to the client machines or to the gateway router so that they redirect packets to the server which implements QOS feature instead to their default gateway. This cannot be done stealthily with out the help or consent of the user and I don’t think any one would give their consent to limit their bandwidth anyway.

So here is a simple yet effective solution to address just that. It limit the bandwidth utilisation at the network layer without alarming anyone , is simple, easy to configure and ethically very unsounding. Anyway what does these days?

These are the softwares you will need:

1. Cain & Able
2. Net limiter (Free version)

STEP 1 - Installing and configuring the software

First install both of these softwares in to a PC/Virtual machine that can act as a router. Cain & Able is considered by many antivirus software as an malware/hack tool. So you may need to create an exception for it in your antivirus software.

Secondly you will have to disable Windows or any other firewall in use or add exceptions to it to so that
Cain & Able can do it's job properly.

Optionally you can go to Configuration-> APR (ARP poison Routing) tab and set  spoofing options. This will makes it harder for the victim to trace your activities on the network.


STEP 2 - Running Cain & Able and Poisoning the ARP cache in the offending machine

This needs to be done so that our machine acts as a router sitting in between the offending machine and the gateway router. Yes, for those who are curious, technically this is a “Man in the middle attack”. But this is the easiest way to get the offensive traffic flow through our desired PC with out much hassel.

I will not try to explain this step in detail in here. please watch the movie below that explains it well.

Once you activate the ARP poisoning on the target machine , it will show up similar to the image shown above. As you can see this machine has hundreds of incoming and outgoing connections. This is a classic sign of running a P2P software.


STEP 3 - Run Netlimiter and limit the bandwidth as you find appropriate.

Once the offending machine is ARP poisoned, then you can open Netlimiter and check traffic routing through the interface by expanding Thrugoing nod. usng the bandwidth limiting capability in the Netlimiter , we can assign upload/download limits to individual machines or if you are lazy , you can cap  everything by setting limits to the Thrugoing nod.

Cain & Able is designed to deploy man in the middle attacks to collect and crack passwords from remote machines. In here we have put it in to  good cause .

As part of this configuration Cain & Able will collect many sensitive information flowing through it including plain text or encrypted  passwords …. So be ethical. With great powers comes great responsibility.