Can Skype Be Blocked? Maybe, Maybe Not

18 Comments

Every so often stores pop up about Skype being blocked in some country or the other, with some start-ups bragging how they did this. Now comes word that it is hard to detect Skype-packets. Russell Shaw points to analysis by Art Reisman, CTO of APconnections, a company that specialized in packet shaping technology. Reisman could not detect and block Skype traffic, which is contrary to claims of a Chinese service provider which used Verso’s technology. That claim has been upheld by an an independent agency. Aswath points out that numerous (successful) efforts have been made by others when it comes to identifying and blocking traffic. Last week there was also news of Skype texts being blocked in China, which I am guessing, is a different beast compared to detecting and blocking Skype voice communication packets.

18 Comments

Ruptor

Well, actually I can identify skype TCP and UDP packets of all types with a negligible processing overhead, good enough even for the largest ISPs. The question is, how much are they willing to pay for it?

jrz

Can Skype be blocked?

http://peerwatch.witao.com/archives/24

From my experience, the technical answer to Can Skype Be Blocked? Maybe, Maybe Not is Definitely YES!

Generally, Skype traffic won’t be blocked by any China carrier at all. At least China Telecom HQ won’t make this silly decision. As far as what I know, what Verso and other Skype blockers’ China Telecom customers are just some small local telecom service providers and they get the chance to do some testing in the Lab by some ’guanxi’ in private. Verso magnified what they were doing in China for a wonderful PR and after all the testing result was quite poor. China Telecom is undeserved in Verso case.

China Telecom get its own strategy on information highway and VOIP, say Biz Navigate brand platform etc.

Juha

Antoin: if you have a privatised monopoly, un-regulated despite over a decade of concern about the competition and competitivness being munted, why would you worry about the service sold being crap? That’s all there is. What are customers going to do? Use something else that… isn’t there?

It’s labelled as a “best-effort service” with zilch guarantees. The CIR is 24kbit/s per user and month. No comeback for customers legally either. So you pays yer dues and you gets whatever the incumbent feels like giving you.

What kind of bandwidth does Skype Video use? Not got around to trying it yet.

Antoin O Lachtnain

Aswath: fair enough, but hey, it’s the weekend.

Juha: it sounds like those guys have got it sorted. Screw up absolutely everything and Skype won’t work, brilliant. The only problem is that the rest of the service must be pretty crappy too. How can they go out and sell a service like that with a straight face?

Off-topic again but here’s my reason for the day why I think operators shouldn’t block skype. Skype Video. Maybe this is old news, I just tried it for the first time this week – it’s really great, but it is a little bandwidth intensive. I think that Skype video will create massive demand for symmetric high-bandwidth services. If the telcos have any vision, they will make a fortune out of people who want to have many high-quality video calls open at the same time. Your videoconf capability will be a sign of your wealth, the way your water supply was in roman times, or the depth of your carpet in the eighties.

Juha

Instead of concentrating on a single application (Skype) and trying to identify and block that traffic, you could apply a blanket solution that kills VoIP automatically.

Our telco incumbent does this for its DSL customers through:

  • Having a low upstream speed – 128kbps
  • A service specification that allows for up to 500ms jitter
  • … and up to one second packet delay in each direction.

There are also rumours that said telco is queueing up IP packets, keeping the sequential order but transmitting them at random intervals within a one-second period (so as not to break the specification). No-one’s been able to prove that yet though.

Thanks to the above, Skype is almost unusable on the incumbent’s DSL.

Aswath

Now this is totally different. I do not have to say “wow”; let n million subscribers do that. But at least one person should challenge a claim that seems not to have been throughly researched. That is the original intent of this thread; greatness of Skype as an application was not.

Antoin O Lachtnain

But we should all step back, look at skype and say ‘wow’ now and again. I know I do. I grant you, there’s no one thing in it that is extraordinary in itself – decent voice compression – peer-to-peer – tunnelling over HTTP – NAT traversal – a decent user interface -. What’s amazing is that they’ve put it together in one package so beautifully, in a relatively short time. Skype made all this theoretical computer science was made available to the Internet surfer on the local wave in a simple pakage.

I think it is the number-one software achievement of this decade (and I’m sure I’ll regret having said that).

aswath

I think you are being charitable in your interpretation and I am being literal. Yes, the tile says that it will not be easy, but look at the text:
1. “… he tried — and failed — to detect and block traffic from Skype…”
2. “I have feigned a few efforts at blocking Skype only to retreat to fight another day after being soundly defeated.”
3. “However, when examining the stream I failed to see any human discernible call set up, so without prior knowledge of a call being made I could never be certain if what I was seeing was a Skype call.”
4. “The setup portion of a Skype appears as just garbled goop.”

If the author intended to put ease of detection as a condition, I would think some of the phrases would have been used differently.

Oh, well. It looks like Skype stealth will get into folklore, just as its NAT Traversal technique was/is considered to be unique (even though for the most part it was using widely used techniques).

Antoin O Lachtnain

He said he can’t detect it straightforwardly, but he doesn’t say flat-out that he definitely wouldn’t be able to detect it. According to the other research cited above, the signalling packets are just obfuscated, not really encrypted. He could look inside ’em if he really tried.

aswath

Antoin:

The author of the report is not talking about practical considerations. He just flat out claims that he can not detect.

Christof Baumgärtner

“First off, it is possible to block the central registration server of Skype and its supernodes, just blackhole the IP-ranges. A second possibility is to look for distinct traffic patterns.”

Both of these methods have been possible with ancient Skype versions. Recent Skype versions can not be blocked this way.

Antoin O Lachtnain

The point isn’t really that it is impossible to block Skype traffic. You can, within a relatively small organizational unit (for example your home, your office or maybe your company). The problem is that if you try to scale that up to do it at the ISP level or country level, it’s pretty difficult because you have to look inside every single packet to look for the tell-tale signs to figure out if it’s a Skype packet or not. That is very processor-intensive and if Skype really wanted, they could make it even harder or maybe impossible. The quick and dirty method is to blackhole the registration servers, but that is only a short-term solution, because registration can be distributed to multiple clients, like everything else in Skype.

Tore

The people at U of Columbia have compiled an list of Skype analysis efforts, see http://www1.cs.columbia.edu/~salman/skype/

I find the study called “Skype Uncovered” by D. Fabrice particularly interesting, it even explains how to roll your own Skype client and create a Skype darknet.

Raindeer

There is some analysis of Skype traffic available online. Two things make Skype block a possibility. First off, it is possible to block the central registration server of Skype and its supernodes, just blackhole the IP-ranges. A second possibility is to look for distinct traffic patterns. For this you don’t need to know the exact content of the traffic, but you can look for the sequence of bits. The following paper should give enough information to pretty effectively block Skype or at least to make it hard for normal end-users
http://www.cs.columbia.edu/techreports/cucs-039-04.pdf

Skype’s PSTN/mobile interconnects make banning and blocking of content easy, since the PSTN and the mobile network are notoriously insecure. No end to end encryption possible.

Comments are closed.