Please explain how its traffic pattern looks different than, say, an xbox360 game where one console hosts and the other consoles connect.
Or from a webrtc video call / ring [0] call.
Or a person downloading a few files from 10 to 20 different websites.
I don't see how my computer connecting to 10 ips is characteristic of bit-torrent and not of performing encrypted communication of another type with said ips.
I'm not expert, but I can imagine how it might be possible to determine BitTorrent traffic from Xbox 360, voice call, or simultaneous downloads from 20 different websites, using flow analysis and some other data points, to a fairly high degree of certainty, in some cases.
In support of my amateur assessment I present the following Wikipedia entry on the subject:
"Some ISPs are now using more sophisticated measures (e.g. pattern/timing analysis or categorizing ports based on side-channel data) to detect BitTorrent traffic. This means that even encrypted BitTorrent traffic can be throttled. However, with ISPs that continue to use simpler, less costly methods to identify and throttle BitTorrent, the current solution remains effective.[citation needed]
Analysis of the BitTorrent protocol encryption (a.k.a. MSE) has shown that statistical measurements of packet sizes and packet directions of the first 100 packets in a TCP session can be used to identify the obfuscated protocol with over 96% accuracy.[22]
The Sandvine application uses a different approach to disrupt BitTorrent traffic ..."
I guess like everything, it's an arms race; and a sufficiently determined network monitor probably has the average BitTorrent user blocked. Might not be worth the effort though.
>Please explain how its traffic pattern looks different than, say, an xbox360 game where one console hosts and the other consoles connect.
because you're maybe connecting to 100 players max, with relatively low bandwidth use
>Or from a webrtc video call / ring [0] call.
again, relatively low bandwidth
>Or a person downloading a few files from 10 to 20 different websites.
those websites run on port 80 or 443 whereas torrents use random ports > 1024, so that's a dead giveaway there. plus most people (even powerusers) don't have 10 to 20 parallel downloads from multiple sites. even if it's really someone downloading from 10 to 20, that probably puts them in the 99.99 percentile of bandwidth use, and they probably should be throttled anyways.
>if it's really someone downloading from 10 to 20, that probably puts them in the 99.99 percentile of bandwidth use, and they probably should be throttled anyways.
That's a really strange sentiment to me. I'm paying for 100mb/s, not for "100 mb/s, in certain specific circumstances over specific protocols". Ones and zeros, the rest of it is _my_ concern, not my ISP's.
Actually, what you're paying for is probably "bursts up to 100 mb/s" rather than "sustained traffic of 100 mb/s," whether or not it's marketed that way. ISPs commonly "oversubscribe" trunk lines dramatically. Back when I did trunk management at a big ISP in the dark ages of the internet (the late '90s), we oversubscribed at about a 5:1 ratio: basically, we sold 5 times as much bandwidth as the trunk actually had. As long as there was free bandwidth available you could get your full amount, but the amount you were guaranteed was one-fifth of that.
Of course, those were business lines and all those numbers were actually in the fine print of the contract. As far as I've been able to determine, if your residential ISP is only oversubscribing at a 10:1 ratio, you're pretty lucky (I've seen some reports from industry consulting firms that suggest 50:1 is more common), and the chances are they're not guaranteeing a minimum speed they can be held to.
There is a minimum speed guaranteed for most home subscribers but that is a fraction of dialup speed. Home routers do latency profiling to have a better connection stability; meaning even if you do not fill bandwith, all your requests will be delayed to smooth out until the buffer completely fills.
In most operators, limited bandwith users are oversubscribed and unlimited bandwith users are linked to dedicated channels. Oversubscription ratio is around 20:1 for DSL and 100:1 for mobile here in Turkey.
If you were really paying for 100 mb/s dedicated, guaranteed bandwidth, you would be paying thousands of dollars a month.
Edit: I’m getting downvoted, so I went and looked it up. It’s not “thousands”, but it’s close to $1000/mo, from the first provider I checked: https://imgur.com/gallery/9ZdlqXt
The handshake for establishing a bittorrent connection with a peer literally starts with the string "Bittorrent protocol". I don't think it's that hard for ISPs to detect that. Bittorrent encryption prevents that but it's not used everywhere.
Encrypted or not, BitTorrent traffic still looks like BitTorrent traffic.
The BitTorrent protocol has a peculiar connection pattern.