Full Disclosure mailing list archives

RE: blocking SkyPE?

From: <lists-security () nettracers com>
Date: Tue, 25 Jan 2005 10:05:42 -0800

I think that this may trigger on the regular HTTP request that SkyPE does

at

start up (and only then). This checks the SkyPE web site for updates. This

is

also what the available Snort signature trigger on, simply because it's the

only >kind of traffic that has a recognizable signature.

How many hits do you have for a given client IP on this rule? If it's

really

triggering on VoIP traffic, you should get many per second.


I am getting 3-10 hits per second for any active system running this,
example:

91      detected        09:06:35        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]        80      4048    6
92      detected        09:06:29        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]        4048    80      6
93      detected        09:06:13        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]        4048    80      6
94      detected        09:06:06        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]        80      4048    6
95      detected        09:04:11        p2p: skype,aggregated 3
times,[Reference: http://www.fortinet.com/ids/ID109051909]      80      4048
6
96      detected        09:04:05        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]        4048    80      6
97      detected        09:03:36        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]        80      4048    6
98      detected        09:03:29        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]        4048    80      6
99      detected        09:02:08        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]        4048    80      6

If that's just the version check traffic (and my gut feeling is that it is,

considering the data you've shown), this is *not* the kind of SkyPE traffic

you'd want to classify, and your QoS probably doesn't do what you think it 
does (unless it shapes all traffic to/from that client's IP)... What do you

think?


The plan is to shape the entire users system to throttle to a lower priority
or a  and/or limited bandwidth or full block when any p2p policy abuse is
detected.  Since you can't tell which traffic is which, just relegate that
user to 9600 bps (BOFH solution).  The skype encryption and traffic should
be able to be mathematically characterized and classified without having to
decrypt...a fun project to work on perhaps...with results fed back to the
IPS system to lock down or flow control. 

- Bryan K. Watson
- bwatson () nettracers com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)
  - RE: blocking SkyPE? Brenno J.S.A.A.F. de Winter (Jan 24)
- Message not available
  - Re: blocking SkyPE? Alain Fauconnet (Jan 24)
    - Re: blocking SkyPE? Valdis . Kletnieks (Jan 24)
    - Message not available
    - Re: blocking SkyPE? Alain Fauconnet (Jan 24)
    - RE: blocking SkyPE? lists-security (Jan 25)
    - Re: blocking SkyPE? Alain Fauconnet (Jan 25)
    - RE: blocking SkyPE? lists-security (Jan 25)
    - Re: blocking SkyPE? Alain Fauconnet (Jan 25)