Cisco ASA - Blocking BitTorrent Traffic

I have attempted to do this and ran into a few issues. The biggest was that most bittorrent clients these days will choose a random port outside of that range. Blocking just 6881-6999 is a start, but will be easily defeated. Even if you block all UDP and high ports, clients will eventually switch to port 80 and 443 (HTTP and HTTPS), which presumably you don't want to block.

I have not found a good way to entirely block bittorrent. Bittorrent has evolved and adapted around all kinds of blocks, and will continue to evade attempts to block it. I'm sure there is a way to use Deep Packet Inspection to identify and shut it down, but I haven't had a chance to look at that. And I'm not sure how successful that would be due to bittorrent clients using encryption by default now.

I have been using this code on my ASA to at least marginally help the situation. I'm sure this blocks other useful things, but I haven't had any complaints from users.

object-group service Blocked-UDP-Ports udp
 description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation)
 port-object range 10001 65535
 port-object range 1024 1193
 port-object range 1195 9999
object-group service BitTorrent-Tracker tcp
 description TCP Ports used by Bit Torrent for tracker communication
 port-object eq 2710
 port-object range 6881 6999

access-list inside_access_in extended deny udp any any object-group Blocked-UDP-Ports log warnings inactive
access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker log warnings inactive

Only easy way to stop this is to default deny all egress traffic and allow specific ports for services. It's a PITA, but bittorrent clients wont listen on 1024 ports, so 443 and 80 are safe to let out. So are dns, ssh, ftp, pop3, imap, sip, whois, telnet.