Full Disclosure mailing list archives

Re: blocking SkyPE?

From: Alain Fauconnet <alain () ait ac th>
Date: Tue, 25 Jan 2005 19:04:29 +0700

Bryan,

Thanks for your input.

On Tue, Jan 25, 2005 at 12:04:45AM -0800, lists-security () nettracers com wrote:

Full-Disclosure aspect: knowing the capabilities and limitations of the
various firewalls employed.  How policies can be violated without detection.
Vendors and open-source community need to push to solve these real world
problems.

...but the real question is: can they detect SkyPE specifically?


This is from a Fortigate with factory release NIDS, AV and IPS databases -
nothing custom - (someone with a checkpoint and others may pipe in here with
their capabilities):

On Status page:
Recent Intrusion Detections
Time  Src/Dst         Service         Attack Name
2005-01-24 22:35:16   10.0.0.12 206.14.209.40  http   skype

Skype In Alert Log:
2005-01-24 22:35:16 log_id=1421051110 type=ips subtype=signature pri=alert
vd=root attack_id=109051909 src=10.0.0.12 dst=206.14.209.40 src_port=3743
dst_port=80 src_int=port1 dst_int=port2 status=detected proto=6 service=http
msg="p2p: skype,[Reference: http://www.fortinet.com/ids/ID109051909]";


I think that this may trigger on the regular HTTP request that SkyPE
does at start up (and only then). This checks the SkyPE web site for
updates. This is also what the available Snort signature trigger on,
simply because it's the only kind of traffic that has a recognizable
signature.
How many hits do you have for a given client IP on this rule? If it's
really triggering on VoIP traffic, you should get many per second.

I am not blocking skype traffic or the kazaa traffic that is detected, but
use this info to quantify the use of the network and to throttle bandwidth
if needed to maintain QOS for business-critical functions.


If that's just the version check traffic (and my gut feeling is that
it is, considering the data you've shown), this is *not* the kind of
SkyPE traffic you'd want to classify, and your QoS probably doesn't do
what you think it does (unless it shapes all traffic to/from that
client's IP)... What do you think?

[rest deleted - amen to all of this... including the pathetic "security
advice" of the SkyPE folks]

Greets,
_Alain_
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

blocking SkyPE? Alain Fauconnet (Jan 24)
- RE: blocking SkyPE? lists-security (Jan 24)
  - RE: blocking SkyPE? Brenno J.S.A.A.F. de Winter (Jan 24)
- Message not available
  - Re: blocking SkyPE? Alain Fauconnet (Jan 24)
    - Re: blocking SkyPE? Valdis . Kletnieks (Jan 24)
    - Message not available
    - Re: blocking SkyPE? Alain Fauconnet (Jan 24)
    - RE: blocking SkyPE? lists-security (Jan 25)
    - Re: blocking SkyPE? Alain Fauconnet (Jan 25)
    - RE: blocking SkyPE? lists-security (Jan 25)
    - Re: blocking SkyPE? Alain Fauconnet (Jan 25)