Full Disclosure mailing list archives
Re: blocking SkyPE?
From: Alain Fauconnet <alain () ait ac th>
Date: Wed, 26 Jan 2005 09:54:05 +0700
Bryan, On Tue, Jan 25, 2005 at 10:05:42AM -0800, lists-security () nettracers com wrote:
I think that this may trigger on the regular HTTP request that SkyPE doesatstart up (and only then). This checks the SkyPE web site for updates. Thisisalso what the available Snort signature trigger on, simply because it's theonly >kind of traffic that has a recognizable signature.How many hits do you have for a given client IP on this rule? If it'sreallytriggering on VoIP traffic, you should get many per second.I am getting 3-10 hits per second for any active system running this, example: 91 detected 09:06:35 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 92 detected 09:06:29 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 93 detected 09:06:13 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 94 detected 09:06:06 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 95 detected 09:04:11 p2p: skype,aggregated 3 times,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 96 detected 09:04:05 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 97 detected 09:03:36 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 98 detected 09:03:29 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 99 detected 09:02:08 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6
Uh, OK, if all this is for the same client, then I stand corrected and your VoIP traffic is going over port 80 obviously. The Fortinet folks therefore appear to have found reliable signatures to catch SkyPE's VoIP traffic. Congratulations to them! I'll ask a quotation, but I doubt that I can get the budget for this stuff :-(
The plan is to shape the entire users system to throttle to a lower priority or a and/or limited bandwidth or full block when any p2p policy abuse is detected.
Let me rephrase this: once you detect any kind of P2P traffic from a given client, you'd throttle down all kind of traffic from/to that IP, do I understand correctly?
Since you can't tell which traffic is which, just relegate that user to 9600 bps (BOFH solution).
Kind of, yes :-) But well, sometimes they're the right ones!
The skype encryption and traffic should be able to be mathematically characterized and classified without having to decrypt...a fun project to work on perhaps...
Certainly. Been trying myself, not much progress so far. I'm sure that guys smarter than me have worked on this. Greets, _Alain_ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)
- RE: blocking SkyPE? Brenno J.S.A.A.F. de Winter (Jan 24)
- Message not available
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- Re: blocking SkyPE? Valdis . Kletnieks (Jan 24)
- Message not available
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 25)
- RE: blocking SkyPE? lists-security (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)