Slashdot Mirror
P2P Programs on K-12 Networks?
deque_alpha asks: "I am a system administrator for a small K-12 public school district. I am taking over after a bunch of goofballs have really messed things up, the technology department is in utter disarray. I have near infinite problems, but the hairiest are with people sucking up what little bandwidth we have, introducing virii, downloading warez, and generally causing problems with P2P file sharing programs. I don't generally have a problem with these programs, but they are not an appropriate use of the limited bandwidth of a K-12 institution as they provide little in the way of an educational resource, not to mention the legal liability they potentially introduce. The rub lies in that these people are teachers, and I have virtually no policy to back me up if I come down on them, but shutting them down is neccesary to maintain harmony (and legality) on the network. I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either. Have any of you been in this position before? How would you approach solving it without totally alienating your users? How do you broach the subject of introducing new policies with supervisors?"
This is obviously a problem that lies in every school district and also in college. Just take charge and let the teachers know (in a non-technical and informative way) the reasons that you want to block these specific P2P networks from being accessed. If you set a standard, people will conform
My favorite method at this time is to just shut off whatever I need to shut off. Limit access where it needs to be limited.
Then when the questions start flying I just shrug and try to look dumb. "I don't know what happened to your ability to download porn at work."
They wont know what's going on and most people despite all reason believe that computers act in a random and hurtful manner of their own volition.
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
When it comes to implementing technology policy in any organization unfortunately the only way to be successful is to have 100% support from upper mgmt (or in your case administration). You can always regulate on your own and act like you have the authority, but sooner or later you'll piss off the wrong person and that person will just so happen to be best buds with your boss. Good luck.
It truly amazes me how many times I've been hired or contracted to do something but not had the authority to follow through.
I know that I have worked in a large agency (I would prefer not to name names) and we had a similar problem. We just cut them off, and waited to see who got mad. The thing is that most people have a tendency to not complain if they know that what they are doing is not completely in the best interest of where they work. The bottom line is that it is not there private connection, it is the school districts, and the school district should be aloud to limit if necessary. Now stopping these connections, that can be a bit more tricky, but there are software apps out there that will do it, or if you are really good do what we did, and write your own :).
With a linux firewall this is easy to do with qos and such.
They can still use p2p systems, you just limit the bandwidth to levels not harming genuine educational use. This shouldn't be hard to sell to your supervisors.
Jeroen
Secure messaging: http://quickmsg.vreeken.net/
Or find software to throttle down all ports but email, ftp and http - Teachers might complain about completely blocked P2P access but will they complain about horrible speed?
What I have done in the past is to write out the policy in a form that would only require a signature. Then present it to the powers that be. If they need explainations, then explain why this policy is necessary.
The trick overall is to do as much legwork as possible so the boss has very little to do but read and sign. If you approach the boss saying "I need you to write a policy to ban people downloading porn." then you add to your bosses workload. If you say "Here is a policy that prohibits downloading porn on the network, please approve it", then the bosses time committment is significantly reduced and the likelyhood of it being implemented is high.
Of course, stay on it, daily if needed. It may not hurt to create a graph or two showing bandwidth utilization vs. time of day, broken down by workstation. It would probably be even better if use used something to capture the stream so you could show your boss exactly what these people are doing.
If all that doesn't work, don't be afraid to document (via email or other dated message delivery service like sending it to yourself in a USPS letter) everything that you asked to have happen, when you asked, the results, etc, etc... create the paper trail. Then be prepared to go above the boss (PTA, School Board, Press).
Ron Gage - Westland, MI
Been there, done that, nearly got sued.
Block the ports. Clearly (and simply) explain the problem. Tell them that your supervisor must make that kind of (legal) call.
Talk to your supervisor/Dean/Principle. Make *them* sign off on any open ports/applications.
It has the additional advantage that, if they have a problem with it and decide to bring the issue up with a higher power, they probably won't be able to explain why it's so important for them to be able to download music or images or whatever, and therefore probably won't get anywhere. A few weeks after we started blocking Napster, Gnutella and friends, the school principal sent out an email without consulting us saying that those programs were no longer allowed... most likely because he had no idea before people started complaining of what these programs were even for.
exactly what we did...block ports and make them send you a note detailing why they want a specific port open. Most people will realize how stupid what they're asking is if they have to sit down and write it out. errr please open these ports so I can run my p2p software to pirate music using school resources...umm maybe I better not send that one :) Use SECURITY as the overall kicker, in order to maintain the security and integrity of the network it is essential the Admin knows whats going on. BTW if you do get a moron asking for P2P ports forward it to the rest of the staff for a good laugh.
:)
Follow the examples of the Bastard Operator from Hell and you cannot go wrong
errr....umm...*whooosh* *whoosh* Is this thing on ?
I agree with the limiting the bandwidth factor over outright blocking it. Your normal user will stop using something if it starts moving at unbearably slow speeds.
There are some really expensive commercial products on the market, but it doens't sound like it's in your budget. (a href="www.zebra.org")Zebra(/a) can run QoS, and I'm sure there are other open source alternatives. Hell, even M$ has had an implementation since 2k.
My friend and some associates started a wireless ISP sharing a T1. A few residential users started using P2P such as Bearshare and Morphius to share out 'their' files. That saturated our T1 line. We used FreeBSD and the altq program which allowed us to throttle traffic and bandwidth as we saw fit. The current setup is that http traffic gets about 70% of priority with all 'other' traffic sharing the remaining 30%. If the http traffic is not in use, then the 30% group and grow. But if http starts back up again, then the 30% group is throttle back to 30%.
A suggestion to the gentleman in the school district would be to evaluate the 'critical' traffic that your teachers and administrators need. I would think http would be the first priority. Start by giving 60% to 70% of bandwidth to http then the remaining 30% to 40% to everything else. This includes ftp, RealPlayer, Streaming music, IRC chat, anything. Now, what this gains you is that you give limited bandwidth to other programs, but you don't shut anyone down. Your users with complain that ftp downloading is slow, but their web surfing is extremely fast.
On our network we have noticed that the amount of use on BearShare and Morpheius and P2P file sharing has dwindled. Only those that put up with the slower speeds are using them.
Good luck.
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT/>CS d(+) s:+ a- C++$ UB++++ P+>++ L- E--- W++>+++ N o+ K? w-->--- O- M>+ V-- PS(+@) PE+>() Y+>++ PGP+>++ t(+) 5- X(+) R+(++) tv+ b+ DI D+(++) G++ e+>+++ h---() r+++ y?
------END GEEK CODE BLOCK-----
What I am I once was. What I now become I long to be. Life is a journey not a destination.
taken from this article
Second, administrators that attempted to block the AIM service by blocking the default port of TCP/20379 were in for a shock. The AIM client/server model is extremely versatile and doesn't pay any attention to WKS (Well Known Services); the login server allows connections from every TCP port under the sun, including the ports that are likely permitted for business reasons: TCP/21 (ftp), TCP/80 (http), and TCP/443 (https). While we would never do something nasty like run nmap against login.oscar.aol.com, we think you'd be surprised if you knew just how many AIM-open ports there are.
AIM also runs over proxy; and the client has an "auto-configure" button that makes it really easy for Nancy in Human Resources to bypass your perimeter security. In a nutshell, AIM's a slippery little devil and just about impossible to block unless you're using a perimeter device with content inspection capabilities. We can expect more user toys to start exhibiting these perimeter-security-bypassing traits, which means that you will not know what applications are actually in use on the network layer, since the port number will become meaningless.
Remember when the RIAA did their experiment with those kids downloading a ton of music before the Grammys, well those same kids said they got most of their content with AIM. Shutting down everything except HTTP/SMTP/POP may not even cut it nowadays
Computers in K-12 situations are for education use only. Downloading the newest screener or a gig of mp3's is not educational, even though it is quite fun
At my high school we originally had no internet, then ISDN, then T1 for the entire district, and people were always trying to run these programs.
If it is the teachers that are doing it, it's harder to monitor the computers because you cant make a script that deletes things that arent supposed to be on the computer, etc, but blocking all of the ports except for the necessary ones definitely will help. There arent that many ports needed to check email, surf the web, etc.
As was mentioned earlier, it can be a security issue and there should be polocies for both that as well as the educational use agreement. Teachers have to sign the agreement not to look at porn/do illegal things etc on school computers just as the students do in the local district here.
Since you're going to be taking charge, eliminate the support program of preference for more than 99% of viruses.
Rather than just blocking ports, put up an FTP server as well, and hand out forms asking people what they want the school to make available on them. That way, they have to write it down and put their names to it. Explain that people making multiple downloads of the same thing was costing the school a fortune. Redirect any web or FTP request for a file ending EXE COM ZIP RAR ZOO BAT TGZ TAR.GZ RPM ISO MP3 etc to the FTP server, so if you have it, they get it and if you don't, they have to ask (put a form for that in Squid's file-not-found page).
Actively scan the Squid logs for porn, and if you're getting reliable requests for same from a specific user or machine, print out a list, walk down and ask them if they knew that their class was downloading pornography, and could they please stop because the principal is very busy and doesn't want to get involved. Log these incidents and CC the log to the principal's office regularly. If you don't, and someone else does the busting, your ass is on the line.
Just do it, fait accompli, and when the complaints start rolling in, log them, hand out a form, and if they refuse the form ask them why they want to send the school broke. Instantly, in writing, and CC it to the principal.
You're in the right. Act like it. Otherwise that job's not worth having for less than USD$100k a year.
Got time? Spend some of it coding or testing
I've dealt with a very similar problem. I work at a university, and we have a very fat pipe to both the internet and I2. The specific problem is students living in the dorms using all the bandwith with P2P type traffic.
Not wanting to play 'police', we didn't stop them from using P2P, we just used our firewall to limit the total use of specific protocols and ports to 5 percent of the total traffic.
It has been a very effective solution.
Obviously, you've never worked in a school enviroment before. I'm guessing you're corporate, but a much smaller level (even Fortune 500's have more politics than your work). Small but growing regional business? Anyways, let me get back on topic.
I briefly worked on a smallscale rollout project for a major (top 50 in population) city school system. There were ongoing political issues at the the superintendent level, unrelated to our technical problems, but likely to affect everyone's job one way or another. But virus problems were becoming impossible to deal with, so they moved the date forward for another rollout project, and added a Norton AV procedure.
Let me tell you, even the smoothest Windows rollout project sucks, they are never interesting no matter what. You never learn much, but when times are tight like they have been...
Well, the firm I usually deal with, calls up with this job, and they tell me 5-7 months of steady work. Those in the know, know that this means at best 3-5 months of less than 40 hours per week, but that was figured into my equations. They make it out that this is as simple as it gets, just me and another fellow, to make it last longer, and spread out the cost for the school system (Don't these places have an annual budget?!? Don't ask me...). No problem. Only after awhile, does it become apparent that this guy was only barely competent to begin with.
Well, this tech firm (which will remain nameless, they've sued ex-employees before over such) put the new sales rep on the school. That was bad. When the school says they just want the 2 grunts, and want to use one of their admins for the project manager, he agrees. Doesn't even diplomatically suggest different. He meets with her several times, still doesn't suggest otherwise. She was, unfortunately, a total ditz that apparently passed a CNE bootcamp course a few years back. But if her technical competency was horrible, then her management skills were absolutely abysmal. This had disaster written all over it, right from the beginning.
Well, you remember how I said that it was a rollout already planned? Well, the bulk of it was for some Novell Netware software, zenworks client, a few other things that I never actually learned of. Well, the ditz CNE's boss (also a woman, hate to be sexist but...) was having a power lunch with the VAR who was pushing the nw software. And she signed the deal, I think this was for at least $90,000... only this particular software only works with NT. There was no netware equivalent. 100 grand, gone like that. I don't know what was worse, that she would buy software that she obviously had no clue about, or that there is a VAR out there that sleezy.
I go into the briefing, just the tech firm, no client people there. I ask, time and again, was this tested, was that... "Yes, everything has been tested thoroughly, we expect you to be able to do the installs 20 minutes tops, per station". We start the next week, at City Hall (the admin offices are the top 3 floors). It's a total mess. The dumbass CNE/admin decides that first morning, that she would like us to do an inventory at the same time. Hands us some copies of paperwork, standard SN, asset #, etc. We're talking close to 25,000 machines throughout the school district (though not all are in scope for this rollout, maybe only half that). What does she think, that it means anything on paper? Is she gonna do data entry herself, when we turn these in? Or is she just trying to sabotage us even more?
In the administrative offices, there is a mixture of Win95a/win95b/win98/NT4/win2k. Wide variety of machines, including some new ones being installed by school technicians. The new ones are compaq... but they have no contract with compaq at all. I'm guessing Compaq salespeople somehow knew what a mess it was, and wanted nothing to do with it. We are given nothing at all like real procedure documentation... I could write docs better than this. A single page. 1. The grammar was awful, and it basically said install this software. We ended up discovering for ourselves just what options were needed. In the offices, close to 1 in 3 machines broke badly when installing the software, even after we figured out the correct options. Bloated registries, version dll soup, user installed software, all kinds of different things. We were spending up to 2 hours per machine, and the one week at city hall turns into 3. The sales rep lets us know the client is a little bit upset, and can't understand what the problem is.
Well, we move on to the first school. God, it was horrible, when I was in school, there were 3 Apple IIe's in the science room, for a month (They got switched out to another school in the county after that). In this school, there were no less 14 computer labs, all with 20+ machines. Every other room had at least 1 and sometimes 2 machines. 95% pII +. What did they teach these kids? Well, they taught them to be secretaries and other minimum wage type things. Any number of incredibly cool things to be teaching them, but no, just word processing, maybe spreadsheets (though I could never confirm that one).
We get there, and no one has even heard there will be any work done on the computers. 2 days to straighten that out. We can do work now, but only after 2pm (but the doors lock at 4pm, have to be out by then). Most of the labs lock all the keyboards up, and no one has a key (apparently they get vandalized or stolen). Lose another 3 days there. We get permission from individual teachers to do this, before 2pm. But code red alerts happen at least twice per day. This is when even though the bell rings, and its time for a new class, the kids all have to stay in the current one. The teacher locks the door, and the sherrif and deputies go through the halls grabbing all the dope dealers. Code red's never happen at a set time, so we end up missing a progress meeting with the ditz CNE. That was bad.
Then, most of the lab machines are win95b, but haven't been reinstalled in over 4 years. Registries bloated so badly, that maybe only 15 out of 25 machines in any given lab are usable (and they've been like that for months, since the school techs refuse to support any machine not in the administrative offices). Of the 15, roughly 5 will have one set of win95 lockdown software on them, another 5 will have a different lockdown software, and 2 will have a third lockdown app. The rest have none. No one remembers or ever knew the passwords. When we do manage to disable it, if we can, it takes forever to learn just how to make it behave. But once our software install is complete, the machines become more unstable than anything I have EVER seen before. We end up rendering an entire lab unusable. We call up the ditz, she says if they still boot, proceed. They do boot up (most of the time), so we end up doing every lab in the school. We end up rendering all of them unusable. Complaints fly all over the place.
The sales rep arranges an emergency meeting with the ditz, her boss, and us. Plus another engineer from our firm, whom I question even his competency. We explain everything, including how this could only be expected when absolutely no testing was done beforehand. We explain that win95 is completely unsuitable, but even more so, when it isn't pristine (which is unbelievably generous, these had NEVER been reinstalled) you'll see these sorts of problems. We explain that the lockdown software is part of the problem, but not all of it. So they decide that the other tech will go work on another project, and that I and the engineer will go see if there is any salvaging it. We manage to go back to one of the labs we'd done. 2 hours there were enough to convince him (I winced at first, the first machine he turned on had almost no probelms). Every machine would BSOD. It would do the windows partial freezes, the buzzing mouse, all your favorite win95 problems. Some of the machines died at bootup, conflicts with the lockout software. He agrees that we can't go on as we had.
So, we make a proposal to spend a few weeks building install images and doing testing. We'll install 95 back on them, since that's all there is for licenses, but it will be pristine, each machine will have an identical image build. We'll standardize on one lockdown app, with documented passwords, etc.
Offer rejected. Too much embarrassment, I think that we made it clear that we had a clue, and all along knew how retarded they were. Also had a little bit to do with their strict no reinstall policy (I'm not making that up). Seems that at least 3 other dept's had claims on certain machines/labs, donations and what not. And their was enough inter-departmental rivalry, that IT wouldn't reinstall OS's, mostly because each dept wanted the same apps installed that were on the machines when donated. Which is utterly ridiculous, since M$ office was all that was ever used.
I got 6 week's worth of paychecks out of it. For trashing an entire school's worth of computers. Which, as far as I know, are still not functioning. Not that anyone cares. I do in a way, but have zero control over any of it. Makes me sick that my tax dollars pay for it.
Solution for the original slashdt asker:
Find another job in a non-k12 setting.
Nothing can fix your situation. You may be the only one there qualified to teach anything having to do with computers, and you are not a teacher. The computers are a waste of tax dollars in their current capacity, and are only ever used for the most outrageous abuses. The shit will hit the fan, though maybe not for awhile yet, and you do not want to be there when it does.
Once you have their support, analyze and gather data. Get proof of how much network bandwidth is being consumed by non-educational applications. A good sniffer can do this for you. I'm an old school Mac user. I use Etherpeek for this task. It's cheaper than most other sniffers. You could also see if a peer school could assist you if they have already purchased a sniffer. That would save you some cash up front. Gather the data. Graph the results (suits are usually illiterate so you'll need nice pretty graphs). In your initial report, don't list specific people. K-12 school politics run rampant. If some jackass teacher thinks you're infringing on their "rights", they'll run screaming to their KNEA rep (or whatever it's named in your state). Then you'll lose you suits' support. Keep it personel neutral unless they ask for it. Present to the suits how much this non-educational software is costing the school district in the form of bandwidth and how it's affecting educational uses of the network. Find horror stories of what allowing the students to access porn, warez, and other things like that have cost other schools. Throw in a bit of security preaching too. Show them the effects of lack of security (defaced websites, compromised personal information, grade altering, etc..). Demonstrate a few of the apps for these people. Show them how to find a copy of Photoshop on the 'Net. Then show them how much it costs in a magazine. Toss is a little threatening material about the bastards that threaten to sue you if you don't let them install their auditing software. BSA, IIRC. Show the suits how you can save money by eliminating the non-educational uses of the I1 bandwidth (don't attack local traffic, just 'Net traffic). Emphasize the use of cheaper (read: free) alternatives like Linux for firewalls. Remember, money counts right now. Money, security, etc.. should do the trick. Good luck!
Why in the hell has the job of system administrator for an entire school system been given to someone who hasn't a clue about setting up a firewall and closing ports?
Good god. No wonder their classrooms are filled with porn-guzzling, warez-pirating teachers. They are applying the same low standards to the hiring of teachers as they are to sysadmins.
No, no, no. This is not a sig.
On a 2nd front go directly to the school counsil and work with them to develop a "technology directive" for the school that outlines the vision for technology in the school. This vision will be used directly in order to form policy that allows techology to enhance the school experience for the students while avoiding some of the pitfalls. It took my high school about 1 week after getting its first internet connect to pen out this vision (and it was actually good, I was was suprised) and develope the first policies toward the use of that technology in the school. This vision statement also helped them solicit technology help from the community and corporations because the purpose was clear. It was less than 1 year later and the school had all of its hardware and internet 100% provided on grant with upgrades of 1/3 of the hardware each year and all that good sort of stuff.
"You can now flame me, I am full of love,"
Ask your supervisor to delegate to you the authority needed to set domain policy.
This authority may be pen-and-paper authority to write new regulations that he affixes his name to, or it may be network-level authority in a computer system to edit security policies and permissions on the routers.
Or, do what usually works:
Write what *you* think the ideal proposal for the situation is, and give it to your supervisor saying "I've noticed a problem and I realize you're really busy so it may not have been a priority for you; however, I took an initiative to try to address it. If you find this acceptable, perhaps you could pass it on to someone else?"
You'll get points for initiative at least.
Seeing as how I worked at an academic institute for several years myself...I understand the desire to keep it open. Academically, we want to encourage free expression and not limit students/faculty from using the Internet for what it was intended for.
Ultimately though, you as a sysadmin has the responsibility to maintain the reliabilty and stability of the network. People WILL ALWAYS complain about how slow the network is just like people WILL ALWAYS complain about traffic, even if it delays them by a few minutes. What people will NOT accept is if there is the network is down for prolonged periods of time or if a road stays closed for an inordinate amount of time.
I would recommend placing a firewall to monitor the amount of traffic (Linux for example is a great tool and you only need an old computer and two NIC cards). Analyze what ports are causing congestation and block them. If users start to complain, state that the cost of the network bandwidth is more important unless they can give a VALID justification to keep those ports open. If they can give a VALID justification to keep it open, then USE the justification to increase the bandwidth as a whole. Faculty/Staff who are told that they need to allocate their "precious" budgets to help pay for the bandwidth upgrades will cause one of two things to happen:
1.) They seriously need it, and therefore are forced to accept the reality they have to pay for the additional bandwidth. You get the additional funding and everyone's happy.
2.) They decide they don't need it QUITE so badly that they're willing to lose a portion of their budget and they can't give a valid complaint because they're not willing to help pay for the expense that they are accruing on the system.
Either way, they get off your back and start to take responsibility for using the system and not abusing the system. (IE-similar to how the photocopiers at my college were being abused until the teacher were forced to use an account ID and password to track their spending. If they went over a certain limit, it came out of their budget....funny how all of a sudden, people started paying attention to how much photocopying they were doing and less paper got recycled!)
It's a harsh reality but people will continue to abuse a system so long as they think they are anonymous. When they realize that they can be held accountable, that's when they stop abusing it.
I work as an IT support person in a university, and I'm under very similar circumstances. Me and one other guy were hired on in a division where there previously was no centralized IT support, and quite frankly the entire division was in complete chaos. However, we didn't have any 'official' authority to say how to use computers properly, or how to centralize different services such as file sharing. The best thing we found was to just do what needed to be done, and then explain your reasoning, and the consequences of what they were doing previously, to the users afterwards. If your boss complains, ask him to clarify why exactly he hired you if he won't let you do your job. You can't expect management without any IT training to make informed decisions regarding the computing environment, you have to do it yourself.
This is not a flame, but more of a comment...a Ph.D in electrical engineering does not a genius make. I currently work in aerospace with two Ph.Ds who both seem to believe that time, space, and the eternalism of their magical titles Dr. will somehow allow Boeing to see the error of their design ways and change the planes so the Ph.Ds designs will better run between cockpit and door. These are the same guys who asked if the new bulletproof door system should have a peephole to look out into the passenger area.
The point? Native intelligence is as valuable, if not more so, than "book learnin'". My CIS degree was worthless the minute I stepped foot off of campus due to the fact that the CS department taught literally nothing of value - since the professors couldn't afford to work with the new operating systems and didn't want to teach anyone how to program in the new languages.
Another note: those who obtain JDs, Ph.Ds or MDs often come from a socioeconomic background that is well above and beyond ($50,000 and above) what most people in our society make. While this is admirable in some sense, it also is worth noting because it reminded me of the line in Boston Public (one of the worst shows on television) - "You can make $250,000 a year as a defense lawyer in corporate law - why do you want to wipe these kids snotty noses for peanuts?"
Again, not a flame, but an observation - I find that the individuals who seek out intellectual equals among the elites often cultivate an air of superiority. Fiscally this is possible, but most nerds I know are assured of their superiority by knowledge, not by fiscal concerns. One thing I do know is that nerds in particular have a real problem with people who are not up to their level, and lack the social skills to acknowledge their contributions to the whole. (Seriously, I thank GOD every day for the man who empties my cubicle trash can. If I was responsible for it, there'd be a fire hazard, messy office, and very low productivity in about five minutes flat.)
I have a real concern about intellectual racism, which is an issue that was skirted here. A woman who works in the Forest Service as a park ranger may have a doctorate in forest ecology with advanced degrees in soil science, biology and environmental science, with full professorships at two universities, but by the definition leveled earlier in the discussion, she might as well just be "hiking around in the dirt doing nothing with her life."
Yes, that may not have been the original intent of the post, but it sure as heck sounded like it to me. Forgive me if I don't bow to the Ph.D...the only one I could stand was my Gothic lit professor anyway.
I was in a similar situation.
...
Don't nazi-filter ports. I had to fight here with company policies to get my ssh through.
The way I did it was by plugging my portable with dsniff installed. dsniff offers a few nice tools: tcpnice (does not work well) and tcpkill (works VERY well).
tcpkill -1 port 4665
Most connections to edonkey servers will simply fail. I said "most". And you just start it for 10 minutes and then stop it 5 minutes,
Since every usefull application will work smoothly, they will not be able to complain and the p2p usage will get easier by itself. And from then on, it will be easier for you to enforce a complete blocus.
Another thing you can do, is spread a rumor that you are security auditing the traffic and that you might publish on the web site the usage statistics.