18 Comments

Summary:

Every so often stores pop up about Skype being blocked in some country or the other, with some start-ups bragging how they did this. Now comes word that it is hard to detect Skype-packets. Russell Shaw points to analysis by Art Reisman, CTO of APconnections, a […]

Every so often stores pop up about Skype being blocked in some country or the other, with some start-ups bragging how they did this. Now comes word that it is hard to detect Skype-packets. Russell Shaw points to analysis by Art Reisman, CTO of APconnections, a company that specialized in packet shaping technology. Reisman could not detect and block Skype traffic, which is contrary to claims of a Chinese service provider which used Verso’s technology. That claim has been upheld by an an independent agency. Aswath points out that numerous (successful) efforts have been made by others when it comes to identifying and blocking traffic. Last week there was also news of Skype texts being blocked in China, which I am guessing, is a different beast compared to detecting and blocking Skype voice communication packets.

  1. Christof Baumgärtner Friday, April 21, 2006

    I have personally tested a solution called “GTEN PreVent” ( http://www.gten.com ) which can fully block Skype traffic.

    Share
  2. There is some analysis of Skype traffic available online. Two things make Skype block a possibility. First off, it is possible to block the central registration server of Skype and its supernodes, just blackhole the IP-ranges. A second possibility is to look for distinct traffic patterns. For this you don’t need to know the exact content of the traffic, but you can look for the sequence of bits. The following paper should give enough information to pretty effectively block Skype or at least to make it hard for normal end-users
    http://www.cs.columbia.edu/techreports/cucs-039-04.pdf

    Skype’s PSTN/mobile interconnects make banning and blocking of content easy, since the PSTN and the mobile network are notoriously insecure. No end to end encryption possible.

    Share
  3. The people at U of Columbia have compiled an list of Skype analysis efforts, see http://www1.cs.columbia.edu/~salman/skype/

    I find the study called “Skype Uncovered” by D. Fabrice particularly interesting, it even explains how to roll your own Skype client and create a Skype darknet.

    Share
  4. Oops, sorry, the “Skype Uncovered” article is an old one. The really cool stuff is in: http://www.secdev.org/conf/skype_BHEU06.handout.pdf

    Share
  5. The point isn’t really that it is impossible to block Skype traffic. You can, within a relatively small organizational unit (for example your home, your office or maybe your company). The problem is that if you try to scale that up to do it at the ISP level or country level, it’s pretty difficult because you have to look inside every single packet to look for the tell-tale signs to figure out if it’s a Skype packet or not. That is very processor-intensive and if Skype really wanted, they could make it even harder or maybe impossible. The quick and dirty method is to blackhole the registration servers, but that is only a short-term solution, because registration can be distributed to multiple clients, like everything else in Skype.

    Share
  6. Christof Baumgärtner Friday, April 21, 2006

    “First off, it is possible to block the central registration server of Skype and its supernodes, just blackhole the IP-ranges. A second possibility is to look for distinct traffic patterns.”

    Both of these methods have been possible with ancient Skype versions. Recent Skype versions can not be blocked this way.

    Share
  7. Antoin:

    The author of the report is not talking about practical considerations. He just flat out claims that he can not detect.

    Share
  8. He said he can’t detect it straightforwardly, but he doesn’t say flat-out that he definitely wouldn’t be able to detect it. According to the other research cited above, the signalling packets are just obfuscated, not really encrypted. He could look inside ‘em if he really tried.

    Share
  9. I think you are being charitable in your interpretation and I am being literal. Yes, the tile says that it will not be easy, but look at the text:
    1. “… he tried — and failed — to detect and block traffic from Skype…”
    2. “I have feigned a few efforts at blocking Skype only to retreat to fight another day after being soundly defeated.”
    3. “However, when examining the stream I failed to see any human discernible call set up, so without prior knowledge of a call being made I could never be certain if what I was seeing was a Skype call.”
    4. “The setup portion of a Skype appears as just garbled goop.”

    If the author intended to put ease of detection as a condition, I would think some of the phrases would have been used differently.

    Oh, well. It looks like Skype stealth will get into folklore, just as its NAT Traversal technique was/is considered to be unique (even though for the most part it was using widely used techniques).

    Share
  10. But we should all step back, look at skype and say ‘wow’ now and again. I know I do. I grant you, there’s no one thing in it that is extraordinary in itself – decent voice compression – peer-to-peer – tunnelling over HTTP – NAT traversal – a decent user interface -. What’s amazing is that they’ve put it together in one package so beautifully, in a relatively short time. Skype made all this theoretical computer science was made available to the Internet surfer on the local wave in a simple pakage.

    I think it is the number-one software achievement of this decade (and I’m sure I’ll regret having said that).

    Share

Comments have been disabled for this post