Full Disclosure mailing list archives

Re: blocking SkyPE?

From: Alain Fauconnet <alain () ait ac th>
Date: Wed, 26 Jan 2005 09:54:05 +0700

Bryan,

On Tue, Jan 25, 2005 at 10:05:42AM -0800, lists-security () nettracers com wrote:

I think that this may trigger on the regular HTTP request that SkyPE does

at

start up (and only then). This checks the SkyPE web site for updates. This

is

also what the available Snort signature trigger on, simply because it's the

only >kind of traffic that has a recognizable signature.

How many hits do you have for a given client IP on this rule? If it's

really

triggering on VoIP traffic, you should get many per second.


I am getting 3-10 hits per second for any active system running this,
example:

91    detected        09:06:35        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]      80      4048    6
92    detected        09:06:29        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]      4048    80      6
93    detected        09:06:13        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]      4048    80      6
94    detected        09:06:06        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]      80      4048    6
95    detected        09:04:11        p2p: skype,aggregated 3
times,[Reference: http://www.fortinet.com/ids/ID109051909]    80      4048
6
96    detected        09:04:05        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]      4048    80      6
97    detected        09:03:36        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]      80      4048    6
98    detected        09:03:29        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]      4048    80      6
99    detected        09:02:08        p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909]      4048    80      6


Uh, OK, if all this is for the same client, then I stand corrected and
your VoIP traffic is going over port 80 obviously.
The Fortinet folks therefore appear to have found reliable signatures to catch
SkyPE's VoIP traffic. Congratulations to them!
I'll ask a quotation, but I doubt that I can get the budget for this
stuff :-(

The plan is to shape the entire users system to throttle to a lower priority
or a  and/or limited bandwidth or full block when any p2p policy abuse is
detected.


Let me rephrase this: once you detect any kind of P2P traffic from a
given client, you'd throttle down all kind of traffic from/to that IP,
do I understand correctly?

 Since you can't tell which traffic is which, just relegate that
user to 9600 bps (BOFH solution).


Kind of, yes :-) But well, sometimes they're the right ones!

 The skype encryption and traffic should
be able to be mathematically characterized and classified without having to
decrypt...a fun project to work on perhaps...


Certainly. Been trying myself, not much progress so far.
I'm sure that guys smarter than me have worked on this.

Greets,
_Alain_
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)
  - RE: blocking SkyPE? Brenno J.S.A.A.F. de Winter (Jan 24)
- Message not available
  - Re: blocking SkyPE? Alain Fauconnet (Jan 24)
    - Re: blocking SkyPE? Valdis . Kletnieks (Jan 24)
    - Message not available
    - Re: blocking SkyPE? Alain Fauconnet (Jan 24)
    - RE: blocking SkyPE? lists-security (Jan 25)
    - Re: blocking SkyPE? Alain Fauconnet (Jan 25)
    - RE: blocking SkyPE? lists-security (Jan 25)
    - Re: blocking SkyPE? Alain Fauconnet (Jan 25)