Educause Security Discussion mailing list archives
Re: Skype?
From: Mike Porter <mike () UDEL EDU>
Date: Tue, 3 Feb 2009 14:20:26 -0500
On Tue, 3 Feb 2009, Basgen, Brian wrote:
a. Supernode: Information on hundreds of other Skype users could be routed through the PCC network. A PCC computer would act as a "communications" hub for these users, with all call setups going through the PCC computer. This "functionality" is on by default, but can be disabled by altering the Windows Registry.We find, by tracing Netflow records, that a supernode will contact over 500,000 different remote machines a day (yes, 500K). Typically, we disable machines once they get to this number of NetFlow records.Interesting data! That is quite impressive. Any idea what version of Skype the machine was running?
No. We really do not care. We take the position that any machine without a useful purpose generating that much NetFlow is a nuisance and must be fixed. Could be a mix of more than one type of traffic. If a machine manages to generate more NetFlow than our DNS servers, that is excessive unless the machine serves some research purpose or is providing a service the University deems worthwhile. Count of Remote IPs Connected to by Local IPs Sorted by Count of Remote IPs Talked To Shows IPs Talking to Lots of Remote IPs -------------------------------------------------------------------------------- Local IP Remote IPs Outbound Connect Flows R1 R2 Remote IPs Count *****=Worst [Attempted] -------------------------------------------------------------------------------- 128.175.aa.bbb 548,710 492,838 483,712 5,653,535 * * 128.175.ccc.ddd 359,000 325,116 317,965 3,224,061 * * 128.175.eee.ee 324,024 293,826 289,158 2,333,448 * * 128.175.13.16 323,499 273,915 264,846 21,535,406 * * 128.175.13.17 297,453 249,255 241,654 15,252,120 * * 128.175.ff.fff 276,229 250,206 244,583 2,522,765 * * 128.g.gg.gg 270,695 239,210 234,823 2,304,620 * * So, 13.16 and 13.17 are our DNS servers. I'll wager that aa.bbb is a Skype box. In the last hour, it did: [mike@hhhh ipflows-reports]$ ipdos --ip-i=128.175.aa.bbb /netflow/border/saved/flows.20090203_13\:* --ips=10 128.175.aa.bbb is sending traffic to 78176 IPs (0 larger recipients): 43.06MB, 296591 pkts, 137829 flows. 128.175.aa.bbb is receiving traffic from 77890 IPs (0 larger senders): 39.72MB, 308993 pkts, 138861 flows. [mike@hhhh ipflows-reports]$ So, that's pretty low bandwidth. But, it is also 76 NetFlow records/sec. UDP: [mike@hhhh ipflows-reports]$ ipdos --ip-i=128.175.aa.bbb /netflow/border/saved/flows.20090203_13\:* --ips=10 --port-i=19692 --protocol-i=udp 128.175.aa.bbb is sending traffic to 77060 IPs (0 larger recipients): 32.27MB, 195318 pkts, 128109 flows. 128.175.aa.bbb is receiving traffic from 76629 IPs (0 larger senders): 23.62MB, 187019 pkts, 127867 flows. TCP: [mike@hhhh ipflows-reports]$ ipdos --ip-i=128.175.aa.bbb /netflow/border/saved/flows.20090203_13\:* --ips=10 --port-i=19692 --protocol-i=tcp 128.175.aa.bbb is sending traffic to 1381 IPs (0 larger recipients): 8.50MB, 82045 pkts, 7600 flows. 128.175.aa.bbb is receiving traffic from 1413 IPs (0 larger senders): 13.08MB, 99627 pkts, 8486 flows. Whatever is running on that tcp port is basically an http server. [mike@hhhh ipflows-reports]$ telnet 128.175.aa.bbb 19692 Trying 128.175.aa.bbb... Connected to 128.175.aa.bbb. Escape character is '^]'. GET / HTTP/1.1 HTTP/1.0 404 Not Found Connection to 128.175.aa.bbb closed by foreign host. Probably Skype, but we really don't care. At some point, it will be disabled and the owner provided with the "how not to be a supernode" instructions. Mike Mike Porter Systems Programmer V IT/NSS University of Delaware
For the impact numbers we pulled from a SANS report: http://www.sans.org/reading_room/whitepapers/voip/skype_a_practical_security_analysis_32918?show=32918.php&cat=voip Someone else asked me offline about the privacy and monitoring section. We could have better rephrased this to "Skype may be able to decrypt communications, perhaps due to CALEA compliance." Source: http://www.networkworld.com/news/2008/072908-skype-voip-decrypt.html ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
- Mike Porter PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA 2F D2 37 F3 99 ED D1 C2
Current thread:
- Skype? Clark, Sean (Feb 03)
- <Possible follow-ups>
- Re: Skype? Basgen, Brian (Feb 03)
- Re: Skype? Tupker, Mike (Feb 03)
- Re: Skype? Mike Porter (Feb 03)
- Re: Skype? Basgen, Brian (Feb 03)
- Re: Skype? Stanclift, Michael (Feb 03)
- Re: Skype? Mike Porter (Feb 03)
- Re: Skype? Tupker, Mike (Feb 03)