lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050125180602.ACF0025C00B@mail.nettracers.com>
From: lists-security at nettracers.com (lists-security@...tracers.com)
Subject: blocking SkyPE?

 
>I think that this may trigger on the regular HTTP request that SkyPE does
at
>start up (and only then). This checks the SkyPE web site for updates. This
is 
>also what the available Snort signature trigger on, simply because it's the
only >kind of traffic that has a recognizable signature.
>How many hits do you have for a given client IP on this rule? If it's
really 
>triggering on VoIP traffic, you should get many per second.

I am getting 3-10 hits per second for any active system running this,
example:

91 	detected 	09:06:35 	p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909] 	80 	4048 	6
92 	detected 	09:06:29 	p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909] 	4048 	80 	6
93 	detected 	09:06:13 	p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909] 	4048 	80 	6
94 	detected 	09:06:06 	p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909] 	80 	4048 	6
95 	detected 	09:04:11 	p2p: skype,aggregated 3
times,[Reference: http://www.fortinet.com/ids/ID109051909] 	80 	4048
6
96 	detected 	09:04:05 	p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909] 	4048 	80 	6
97 	detected 	09:03:36 	p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909] 	80 	4048 	6
98 	detected 	09:03:29 	p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909] 	4048 	80 	6
99 	detected 	09:02:08 	p2p: skype,[Reference:
http://www.fortinet.com/ids/ID109051909] 	4048 	80 	6


>If that's just the version check traffic (and my gut feeling is that it is,

>considering the data you've shown), this is *not* the kind of SkyPE traffic

>you'd want to classify, and your QoS probably doesn't do what you think it 
>does (unless it shapes all traffic to/from that client's IP)... What do you

>think?

The plan is to shape the entire users system to throttle to a lower priority
or a  and/or limited bandwidth or full block when any p2p policy abuse is
detected.  Since you can't tell which traffic is which, just relegate that
user to 9600 bps (BOFH solution).  The skype encryption and traffic should
be able to be mathematically characterized and classified without having to
decrypt...a fun project to work on perhaps...with results fed back to the
IPS system to lock down or flow control. 

- Bryan K. Watson
- bwatson@...tracers.com




Powered by blists - more mailing lists