Full Disclosure mailing list archives
RE: blocking SkyPE?
From: <lists-security () nettracers com>
Date: Tue, 25 Jan 2005 10:05:42 -0800
I think that this may trigger on the regular HTTP request that SkyPE does
at
start up (and only then). This checks the SkyPE web site for updates. This
is
also what the available Snort signature trigger on, simply because it's the
only >kind of traffic that has a recognizable signature.
How many hits do you have for a given client IP on this rule? If it's
really
triggering on VoIP traffic, you should get many per second.
I am getting 3-10 hits per second for any active system running this, example: 91 detected 09:06:35 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 92 detected 09:06:29 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 93 detected 09:06:13 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 94 detected 09:06:06 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 95 detected 09:04:11 p2p: skype,aggregated 3 times,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 96 detected 09:04:05 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 97 detected 09:03:36 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 6 98 detected 09:03:29 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6 99 detected 09:02:08 p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909] 4048 80 6
If that's just the version check traffic (and my gut feeling is that it is,
considering the data you've shown), this is *not* the kind of SkyPE traffic
you'd want to classify, and your QoS probably doesn't do what you think it does (unless it shapes all traffic to/from that client's IP)... What do you
think?
The plan is to shape the entire users system to throttle to a lower priority or a and/or limited bandwidth or full block when any p2p policy abuse is detected. Since you can't tell which traffic is which, just relegate that user to 9600 bps (BOFH solution). The skype encryption and traffic should be able to be mathematically characterized and classified without having to decrypt...a fun project to work on perhaps...with results fed back to the IPS system to lock down or flow control. - Bryan K. Watson - bwatson () nettracers com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)
- RE: blocking SkyPE? Brenno J.S.A.A.F. de Winter (Jan 24)
- Message not available
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- Re: blocking SkyPE? Valdis . Kletnieks (Jan 24)
- Message not available
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 25)
- RE: blocking SkyPE? lists-security (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 25)
- Re: blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)