[LARTC] IP2P & Skype question

[LARTC] IP2P & Skype question

[Gary Smith]

Hi,

I am not sure if this is the correct destination for this email 
question, so if not, please can someone direct me to the correct mailing 
list / user.

I need to detect Skype traffic using  (I think it can be done) IP2P.on a 
RH Linux 2.4.20 kernel as well as the later fedora platforms. We have 
built it into your kernel, but are looking for some help in the matching 
parameters for skype in particular.

Can anyone help me with anything to do with Skype and ip2p detection 
patterns.

Thanks

Gary

-- 

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Andreas Klauer]

On Monday 25 April 2005 15:08, Gary Smith wrote:
> I need to detect Skype traffic using  (I think it can be done) IP2P.

What's IP2P? 

I only know IPP2P, and I can't find anything about Skype on the official 
homepage (www.ipp2p.org). It's only for P2P filesharing networks. Maybe 
you could test Skype support of l7-filter and give the authors some 
feedback (http://l7-filter.sourceforge.net/protocols lists Skype as 
supported, but untested).

HTH
Andreas
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Justin Schoeman]

I don't think Skype works very well with any of these.  I have tried the 
l7-filter pattern, with no luck.

Apparently, the big problem is that Skype traffic is encrypted, and so 
it is not possible to match it using fixed patterns.

In some cases, it is possible to block Skype, as the existing pattern 
seems to match an important, but not yet encrypted packet.  Shaping is 
however not possible, as the matched packet makes up very little of the 
traffic.

-justin


Andreas Klauer wrote:
> On Monday 25 April 2005 15:08, Gary Smith wrote:
> 
>>I need to detect Skype traffic using  (I think it can be done) IP2P.
> 
> 
> What's IP2P? 
> 
> I only know IPP2P, and I can't find anything about Skype on the official 
> homepage (www.ipp2p.org). It's only for P2P filesharing networks. Maybe 
> you could test Skype support of l7-filter and give the authors some 
> feedback (http://l7-filter.sourceforge.net/protocols lists Skype as 
> supported, but untested).
> 
> HTH
> Andreas
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Andreas Klauer]

On Monday 25 April 2005 16:33, Justin Schoeman wrote:
> In some cases, it is possible to block Skype, as the existing pattern
> seems to match an important, but not yet encrypted packet.

Okay. That's details about the protocol I have no clue about. If only one 
packet can be matched, I'd probably try to squeeze as much information out 
of this one as possible (source and destination address or whatever can be 
obtained) and then shape using this criteria. If you're lucky, you know 
this stuff beforehand, and can use static shaping/filter rules for that, 
otherwise you'll have to whip up a more dynamic solution.

HTH
Andreas
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Gary Smith]

Sorry it is IPP2P.

I see the L7-filter looks like it might suite my needs a lot better.

I have received a number of replies on my original request - all very 
useful.

I have an open question with the IPP2P people over Skype and hope they 
get back to me.  I read somewhere it can be used for detection Skype, 
but I am trying to find confirmation.

I will go dig into the L7-filter stuff and see how I get on.

Thanks


Gary Smith

Andreas Klauer wrote:
> On Monday 25 April 2005 15:08, Gary Smith wrote:
> 
>>I need to detect Skype traffic using  (I think it can be done) IP2P.
> 
> 
> What's IP2P? 
> 
> I only know IPP2P, and I can't find anything about Skype on the official 
> homepage (www.ipp2p.org). It's only for P2P filesharing networks. Maybe 
> you could test Skype support of l7-filter and give the authors some 
> feedback (http://l7-filter.sourceforge.net/protocols lists Skype as 
> supported, but untested).
> 
> HTH
> Andreas
> 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Taylor, Grant]

After doing some reading (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf) it looks like the only easy way to detect and stop Skype communications is through he connection to the Skype login server and treat the traffic coming from that host as if is Skype traffic.  If you are wanting to classify Skype traffic I'm not sure how to help.  However if you are just wanting to prevent Skype from being able to communicate on your network you may be able to look for the traffic that the Skype client sends to the Skype Login Server as it tries to login to the Skype network.  I have a feeling that if you DROPed this traffic the Skype client would not be able to communicate with the Skype network and thus block this traffic.  Any thing beyond this is going to be extremely difficult to block as Skype is a generational enhanced protocol from the developers of Kazaa and thus going to be very hard to stop.  IMHO Skype will make blocking Yahoo Instant 
Messenger look easy.  This is very scary to me, a network administrator.  :(  I have a feeling the real way to deal with this will be to write a Skype client that will connect to the network and find as many Skype Super Nodes as it can and add the IPs of the SNs as well as the corresponding port (as it is possibly dynamic) and add them to an IPSet via an external program.  unfortunately this is something that will have to be maintained via a cron job or something else and thus not easy.  I have a feeling that we are going to see more and more things like this on the net as more and more people are trying to fight security thus we SAs have to work harder and harder.  If you try to make the world more idiot proof the universe will build a better idiot.  The universe is winning.



Grant. . . .

Andreas Klauer wrote:
> Okay. That's details about the protocol I have no clue about. If only one 
> packet can be matched, I'd probably try to squeeze as much information out 
> of this one as possible (source and destination address or whatever can be 
> obtained) and then shape using this criteria. If you're lucky, you know 
> this stuff beforehand, and can use static shaping/filter rules for that, 
> otherwise you'll have to whip up a more dynamic solution.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Michael Renzmann]

Hi.

Taylor, Grant wrote:
> I have a feeling the real way to deal with this will be to write a
> Skype client that will connect to the network and find as many Skype
> Super Nodes as it can and add the IPs of the SNs as well as the
> corresponding port (as it is possibly dynamic) and add them to an
> IPSet via an external program.

Good idea, but there is a problem: Skype uses a proprietary and closed 
protocol. This makes it hard to come up with a modified client like the 
one you've described, as long as you are not experienced with reverse 
engineering.

Bye, Mike
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Taylor, Grant]

> Good idea, but there is a problem: Skype uses a proprietary and closed 
> protocol. This makes it hard to come up with a modified client like the 
> one you've described, as long as you are not experienced with reverse 
> engineering.

I never said that it would be easy.  It's just a proposed idea.  I'm thinking I'm going to have to do something similar to this with Yahoo IM.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Gary Smith]

Thanks Everyone who is participating in this discussion as it has thrown 
some interesting points and some quite scary ones....

The easiest (If their is one) way to do this might be to snoop the 
traffic from a client as it logs on and try to classify that.

I did make a feeble attempt to block this by snooping the login process 
and try blocking the IP's that the client tried to authenticate with, 
but after about 30, I realized I did not know how long the piece of 
string was and gave up.

I will need to look into the ethereal howto and see what I can find, 
unless anyone else has done this and had any form of success!!

Regarding yahoo messenger, I have not looked at this for a while. As I 
understood, it used a single outgoing port and if blocked - end of 
yahoo....  Or has this changed since I last looked?

Thanks for now.


Gary  -

Taylor, Grant wrote:
> After doing some reading 
> (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf) 
> it looks like the only easy way to detect and stop Skype communications 
> is through he connection to the Skype login server and treat the traffic 
> coming from that host as if is Skype traffic.  If you are wanting to 
> classify Skype traffic I'm not sure how to help.  However if you are 
> just wanting to prevent Skype from being able to communicate on your 
> network you may be able to look for the traffic that the Skype client 
> sends to the Skype Login Server as it tries to login to the Skype 
> network.  I have a feeling that if you DROPed this traffic the Skype 
> client would not be able to communicate with the Skype network and thus 
> block this traffic.  Any thing beyond this is going to be extremely 
> difficult to block as Skype is a generational enhanced protocol from the 
> developers of Kazaa and thus going to be very hard to stop.  IMHO Skype 
> will make blocking Yahoo Instant Messenger look easy.  This is very 
> scary to me, a network administrator.  :(  I have a feeling the real way 
> to deal with this will be to write a Skype client that will connect to 
> the network and find as many Skype Super Nodes as it can and add the IPs 
> of the SNs as well as the corresponding port (as it is possibly dynamic) 
> and add them to an IPSet via an external program.  unfortunately this is 
> something that will have to be maintained via a cron job or something 
> else and thus not easy.  I have a feeling that we are going to see more 
> and more things like this on the net as more and more people are trying 
> to fight security thus we SAs have to work harder and harder.  If you 
> try to make the world more idiot proof the universe will build a better 
> idiot.  The universe is winning.
> 
> 
> 
> Grant. . . .
> 
> Andreas Klauer wrote:
> 
>> Okay. That's details about the protocol I have no clue about. If only 
>> one packet can be matched, I'd probably try to squeeze as much 
>> information out of this one as possible (source and destination 
>> address or whatever can be obtained) and then shape using this 
>> criteria. If you're lucky, you know this stuff beforehand, and can use 
>> static shaping/filter rules for that, otherwise you'll have to whip up 
>> a more dynamic solution.
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Taylor, Grant]

> Regarding yahoo messenger, I have not looked at this for a while. As I 
> understood, it used a single outgoing port and if blocked - end of 
> yahoo....  Or has this changed since I last looked?

This must have changed as Yahoo will try to connect 4 different servers on 8 different ports for basic IM use.  If you want to use other features like the webcam, file shareing, or voice chat there are different servers and different ports that your client will connect to.  Take a look at http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you want to see Yahoo's definition of what the client does.  I wrote a RegEx of the various host names that Yahoo will connect to, "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com".  If I could implement a match in DNS for this RegEx I would do so to prevent computers on my networks from finding things.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Andy Furniss]

Taylor, Grant wrote:
>> Regarding yahoo messenger, I have not looked at this for a while. As I 
>> understood, it used a single outgoing port and if blocked - end of 
>> yahoo....  Or has this changed since I last looked?
> 
> 
> This must have changed as Yahoo will try to connect 4 different servers 
> on 8 different ports for basic IM use.  If you want to use other 
> features like the webcam, file shareing, or voice chat there are 
> different servers and different ports that your client will connect to.  
> Take a look at 
> http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you 
> want to see Yahoo's definition of what the client does.  I wrote a RegEx 
> of the various host names that Yahoo will connect to, 
> "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com".  
> If I could implement a match in DNS for this RegEx I would do so to 
> prevent computers on my networks from finding things.

What fun it must be being a netadmin - what don't you want to block, by 
which I mean wouldn't it be easier to block everything and run 
squid/mail server.

Andy.

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[gypsy]

Andy Furniss wrote:
> 
> Taylor, Grant wrote:
> >> Regarding yahoo messenger, I have not looked at this for a while. As I
> >> understood, it used a single outgoing port and if blocked - end of
> >> yahoo....  Or has this changed since I last looked?
> >
> >
> > This must have changed as Yahoo will try to connect 4 different servers
> > on 8 different ports for basic IM use.  If you want to use other
> > features like the webcam, file shareing, or voice chat there are
> > different servers and different ports that your client will connect to.
> > Take a look at
> > http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you
> > want to see Yahoo's definition of what the client does.  I wrote a RegEx
> > of the various host names that Yahoo will connect to,
> > "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com".
> > If I could implement a match in DNS for this RegEx I would do so to
> > prevent computers on my networks from finding things.
> 
> What fun it must be being a netadmin - what don't you want to block, by
> which I mean wouldn't it be easier to block everything and run
> squid/mail server.
> 
> Andy.

Yes, I too have been reading these things asking myself why one would
allow users such open access.  One reason, of course, is that it is
difficult to allow some http but not other, so if the port is 80, it
pretty much has to be OK.  So how would squid (or anything else except
perhaps Level 7) know that this particular connection is A Bad Thing?

I have been successful at limiting the number of FTP connections per
user using iptables' connlimit and helper.  That's where I'd start.  And
if three turned out to be too many, I'd reduce connlimit to 2 for HTTP
and 1 for FTP.
iptables -N HTTP
iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP
iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A HTTP -j RETURN

iptables -A FORWARD -p tcp --dport 80 -j HTTP
iptables -A FORWARD -p tcp --sport 80 -j HTTP
iptables -A FORWARD -m helper --helper ftp -j HTTP

In conjunction with my ACL (posted here a while back; it limits specific
users to specific ports), the above would not be total deny, but it sure
would put a dent in abuse.

gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Taylor, Grant]

> What fun it must be being a netadmin - what don't you want to block, by 
> which I mean wouldn't it be easier to block everything and run 
> squid/mail server.

Yes, it *IS* *MUCH* easier to block everything and only allow out the traffic that you want.  Unfortunetly *MANY* of my clients will not let me do that as they don't see any security problem(s) in what they presently have.  It is my job (consultant) to enlighten my clients to the potential problems that do exist and to prevent / fix them to the best of my ability on their networks.

I am a Consultant / Systems Administrator for a small company with many clients (circa 50) with an email user base of something around 300 on my main mail server (mostly my client's email).  I have to run my network at the office and the networks at my clients.  I have any thing ranging from DOS 6.22 & 98 clients on Novell NetWare 4.11 IPX / IP networks, to M$ Windows 2000 with 2k and XP clients, to unix networks.  I get the gauntlet and thus have to deal with a LOT of crap.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] IP2P & Skype question

[Taylor, Grant]

> Yes, I too have been reading these things asking myself why one would
> allow users such open access.  One reason, of course, is that it is
> difficult to allow some http but not other, so if the port is 80, it
> pretty much has to be OK.  So how would squid (or anything else except
> perhaps Level 7) know that this particular connection is A Bad Thing?

One word, er name, Squid (Caching Proxy).  Squid is *WONDERFUL*  Squid has saved my life *SO* many times.  The ACL system, though difficult to understand at first, is extremely flexible and easy to work with once you get down Squid's syntax.  I can easily define an ACL as such:

acl my_acl_name dstdomain .domain_I_dont_like.tld
http_access deny my_acl_name

Squid works completely inside of the HTTP (layer 7) protocol, or FTP protocol, or many other protocols.  These are just some of the benefits of using an application layer gateway.

> I have been successful at limiting the number of FTP connections per
> user using iptables' connlimit and helper.  That's where I'd start.  And
> if three turned out to be too many, I'd reduce connlimit to 2 for HTTP
> and 1 for FTP.
> iptables -N HTTP
> iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP
> iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A HTTP -j RETURN

If the traffic that you are trying to connlimit is internal to your LAN I would recommend that you REJECT the traffic as this will prevent the client user agents from having to time out.

> iptables -A FORWARD -p tcp --dport 80 -j HTTP
> iptables -A FORWARD -p tcp --sport 80 -j HTTP
> iptables -A FORWARD -m helper --helper ftp -j HTTP
> 
> In conjunction with my ACL (posted here a while back; it limits specific
> users to specific ports), the above would not be total deny, but it sure
> would put a dent in abuse.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc