Rob,
Skype routes its login messages through a dynamic set of supernodes (SNs) =>
there is no fixed set of login server IPs to block. The bootstrap SNs are
different for different clients and can be found in shared.xml.
There are some ad hoc tricks to block Skype traffic over UDP by blocking the
NACK packet, for example [1]:
/sbin/iptables ?I FORWARD ?p udp ?m length ??length 39 ?m u32 ??u32
'27&0x8f=7' ??u32 '31=0x01020304' ?j QUEUE
However, Skype can work without UDP, so the trick is not sufficient to block
Skype reliably. The work from Columbia mentions that it might be possible to
block Skype by blocking TCP packets beginning with: 0x17 0x03 0x01 0x00.
For more details, see the following:
[1] http://www.secdev.org/conf/skype_BHEU06.pdf
[2]
http://www.eecs.harvard.edu/~mema/courses/cs264/papers/skype-infocom2006.pdf
Regards,
Oleg Kolesnikov
-----Original Message-----
From: ROB DIXON [mailto:rdixon@workforcewv.org]
Sent: Wednesday, May 17, 2006 11:06 AM
To: vladimir@arobas.net; mjonkman@infotex.com
Cc: focus-ids@lists.securityfocus.com
Subject: Re: Skype & IPS vendor claims
Has anyone, tried to connect and run ethereal to see where it is
connecting? Does it change everytime?
Unless the client updates its connection info everytime, in preparation
for the next login, wouldn't the client always connect to the same host
name or IP for the initial login?
Does Skype own a block of public Ips? Block em all :-)
I may be off track here. My wife tells me that all the time ;-)
Robert L. Dixon, C|HFI
State of West Virginia's
West Virginia Office of Technology
Infrastructure Applications
Netware/GroupWise Administrator
Telephone: (304)-558-5472 ex.4225
------------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
Vladimir Parkhaev <vladimir@arobas.net> >>>
Quoting Matt Jonkman (mjonkman@infotex.com):
What these vendors may be doing it trying to block access to
centralized
login or directory servers by known IP ranges... I don't know if
that'll
be completely effective.
If I understand the protocol correctly, central servers are contacted
only on a first run
(after install). I(D|P)S systems can have sigs with IP addresses of
those servers, but if user X installs Skype client on his corp. laptop
at home... it doesn't help much.
--
.signature: No such file or directory
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
