| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050126025405.GD9139@ait.ac.th> From: alain at ait.ac.th (Alain Fauconnet) Subject: blocking SkyPE? Bryan, On Tue, Jan 25, 2005 at 10:05:42AM -0800, lists-security@...tracers.com wrote: > > >I think that this may trigger on the regular HTTP request that SkyPE does > at > >start up (and only then). This checks the SkyPE web site for updates. This > is > >also what the available Snort signature trigger on, simply because it's the > only >kind of traffic that has a recognizable signature. > >How many hits do you have for a given client IP on this rule? If it's > really > >triggering on VoIP traffic, you should get many per second. > > I am getting 3-10 hits per second for any active system running this, > example: > > 91 detected 09:06:35 p2p: skype,[Reference: > http://www.fortinet.com/ids/ID109051909] 80 4048 6 > 92 detected 09:06:29 p2p: skype,[Reference: > http://www.fortinet.com/ids/ID109051909] 4048 80 6 > 93 detected 09:06:13 p2p: skype,[Reference: > http://www.fortinet.com/ids/ID109051909] 4048 80 6 > 94 detected 09:06:06 p2p: skype,[Reference: > http://www.fortinet.com/ids/ID109051909] 80 4048 6 > 95 detected 09:04:11 p2p: skype,aggregated 3 > times,[Reference: http://www.fortinet.com/ids/ID109051909] 80 4048 > 6 > 96 detected 09:04:05 p2p: skype,[Reference: > http://www.fortinet.com/ids/ID109051909] 4048 80 6 > 97 detected 09:03:36 p2p: skype,[Reference: > http://www.fortinet.com/ids/ID109051909] 80 4048 6 > 98 detected 09:03:29 p2p: skype,[Reference: > http://www.fortinet.com/ids/ID109051909] 4048 80 6 > 99 detected 09:02:08 p2p: skype,[Reference: > http://www.fortinet.com/ids/ID109051909] 4048 80 6 Uh, OK, if all this is for the same client, then I stand corrected and your VoIP traffic is going over port 80 obviously. The Fortinet folks therefore appear to have found reliable signatures to catch SkyPE's VoIP traffic. Congratulations to them! I'll ask a quotation, but I doubt that I can get the budget for this stuff :-( > The plan is to shape the entire users system to throttle to a lower priority > or a and/or limited bandwidth or full block when any p2p policy abuse is > detected. Let me rephrase this: once you detect any kind of P2P traffic from a given client, you'd throttle down all kind of traffic from/to that IP, do I understand correctly? > Since you can't tell which traffic is which, just relegate that > user to 9600 bps (BOFH solution). Kind of, yes :-) But well, sometimes they're the right ones! > The skype encryption and traffic should > be able to be mathematically characterized and classified without having to > decrypt...a fun project to work on perhaps... Certainly. Been trying myself, not much progress so far. I'm sure that guys smarter than me have worked on this. Greets, _Alain_
Powered by blists - more mailing lists