John Brightwell wrote:
Interesting analysis, clearly it's not as simple as looking for a known dst
port as this might be 80 or 443 but I don't think it would be impossible to
block...
I guess it depends how much reverse engineering the IPS developer has
conducted on Skype - there may be a limited number of login server IP
Addresses to look out for (maybe they maintain a watch for new servers) or
the login signature may be sufficiently unique for that to be blocked (i.e.
challenge response sequence, size of packets, some elements of the payload).
If you do egress filtering, and the only way Skype can work is by going
through your proxies, then you can block it.
As the supernodes Skype is trying to talk to are randomly
assigned/change by the hour/etc, it connects to them via IP address
instead of DNS name (as end-user supernode in some far-flung country
doesn't have a DNS name for his/her DSL router). So if you configure
your proxies to *not* proxy connections to IP addresses, then you can
break Skype.
However, there will be collateral damage, as there are other Web apps
that run on raw IP addresses too
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
