Educause Security Discussion mailing list archives

Re: Skype?

From: Mike Porter <mike () UDEL EDU>
Date: Tue, 3 Feb 2009 14:20:26 -0500

On Tue, 3 Feb 2009, Basgen, Brian wrote:

a.      Supernode: Information on hundreds of other Skype users
could be routed through the PCC network. A PCC computer would act as
a "communications" hub for these users, with all call setups going
through the PCC computer. This "functionality" is on by default, but
can be disabled by altering the Windows Registry.


We find, by tracing Netflow records, that a supernode will contact
over 500,000 different remote machines a day (yes, 500K).
Typically, we disable machines once they get to this number of
NetFlow records.


Interesting data! That is quite impressive. Any idea what version of Skype the machine was running?


No.  We really do not care.  We take the position that any machine
without a useful purpose generating that much NetFlow is a nuisance
and must be fixed.  Could be a mix of more than one type of traffic.

If a machine manages to generate more NetFlow than our DNS servers,
that is excessive unless the machine serves some research purpose or
is providing a service the University deems worthwhile.


                 Count of Remote IPs Connected to by Local IPs
                    Sorted by Count of Remote IPs Talked To
                    Shows IPs Talking to Lots of Remote IPs
--------------------------------------------------------------------------------
Local IP         Remote IPs    Outbound       Connect      Flows  R1    R2
                              Remote IPs       Count              *****=Worst
                              [Attempted]
--------------------------------------------------------------------------------
128.175.aa.bbb      548,710       492,838     483,712  5,653,535  *     *
128.175.ccc.ddd     359,000       325,116     317,965  3,224,061  *     *
128.175.eee.ee      324,024       293,826     289,158  2,333,448  *     *
128.175.13.16       323,499       273,915     264,846 21,535,406  *     *
128.175.13.17       297,453       249,255     241,654 15,252,120  *     *
128.175.ff.fff      276,229       250,206     244,583  2,522,765  *     *
128.g.gg.gg         270,695       239,210     234,823  2,304,620  *     *

So, 13.16 and 13.17 are our DNS servers.  I'll wager that aa.bbb is
a Skype box.

In the last hour, it did:

[mike@hhhh ipflows-reports]$ ipdos --ip-i=128.175.aa.bbb /netflow/border/saved/flows.20090203_13\:* --ips=10
128.175.aa.bbb is sending traffic to 78176 IPs (0 larger recipients): 43.06MB, 296591 pkts, 137829 flows.
128.175.aa.bbb is receiving traffic from 77890 IPs (0 larger senders): 39.72MB, 308993 pkts, 138861 flows.
[mike@hhhh ipflows-reports]$

So, that's pretty low bandwidth.  But, it is also 76 NetFlow records/sec.

UDP:

[mike@hhhh ipflows-reports]$ ipdos --ip-i=128.175.aa.bbb /netflow/border/saved/flows.20090203_13\:* --ips=10 
--port-i=19692 --protocol-i=udp
128.175.aa.bbb is sending traffic to 77060 IPs (0 larger recipients): 32.27MB, 195318 pkts, 128109 flows.
128.175.aa.bbb is receiving traffic from 76629 IPs (0 larger senders): 23.62MB, 187019 pkts, 127867 flows.

TCP:

[mike@hhhh ipflows-reports]$ ipdos --ip-i=128.175.aa.bbb /netflow/border/saved/flows.20090203_13\:* --ips=10 
--port-i=19692 --protocol-i=tcp
128.175.aa.bbb is sending traffic to 1381 IPs (0 larger recipients): 8.50MB, 82045 pkts, 7600 flows.
128.175.aa.bbb is receiving traffic from 1413 IPs (0 larger senders): 13.08MB, 99627 pkts, 8486 flows.

Whatever is running on that tcp port is basically an http server.

[mike@hhhh ipflows-reports]$ telnet 128.175.aa.bbb 19692
Trying 128.175.aa.bbb...
Connected to 128.175.aa.bbb.
Escape character is '^]'.
GET / HTTP/1.1

HTTP/1.0 404 Not Found

Connection to 128.175.aa.bbb closed by foreign host.

Probably Skype, but we really don't care.  At some point, it will be
disabled and the owner provided with the "how not to be a supernode"
instructions.

Mike

Mike Porter
Systems Programmer V
IT/NSS
University of Delaware


For the impact numbers we pulled from a SANS report:
  http://www.sans.org/reading_room/whitepapers/voip/skype_a_practical_security_analysis_32918?show=32918.php&cat=voip

Someone else asked me offline about the privacy and monitoring section. We could have better rephrased this to "Skype may be 
able to decrypt communications, perhaps due to CALEA compliance." Source: 
http://www.networkworld.com/news/2008/072908-skype-voip-decrypt.html

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College


-
Mike Porter
PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2

Current thread:

Skype? Clark, Sean (Feb 03)
- <Possible follow-ups>
- Re: Skype? Basgen, Brian (Feb 03)
- Re: Skype? Tupker, Mike (Feb 03)
- Re: Skype? Mike Porter (Feb 03)
- Re: Skype? Basgen, Brian (Feb 03)
- Re: Skype? Stanclift, Michael (Feb 03)
- Re: Skype? Mike Porter (Feb 03)
- Re: Skype? Tupker, Mike (Feb 03)