Re: Skype & IPS vendor claims

[Jason Haar <Jason.Haar () trimble co nz>]

John Brightwell wrote:
> Interesting analysis, clearly it's not as simple as looking for a known dst port as this might be 80 or 443 but I 
> don't think it would be impossible to block...
> I guess it depends how much reverse engineering the IPS developer has conducted on Skype - there may be a limited 
> number of login server IP Addresses to look out for (maybe they maintain a watch for new servers) or the login 
> signature may be sufficiently unique for that to be blocked (i.e. challenge response sequence, size of packets, some 
> elements of the payload). 
>  
>   
If you do egress filtering, and the only way Skype can work is by going
through your proxies, then you can block it.

As the supernodes Skype is trying to talk to are randomly
assigned/change by the hour/etc, it connects to them via IP address
instead of DNS name (as end-user supernode in some far-flung country
doesn't have a DNS name for his/her DSL router). So if you configure
your proxies to *not*  proxy connections to IP addresses, then you can
break Skype.

However, there will be collateral damage, as there are other Web apps
that run on raw IP addresses too

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------