Skype Traffic

Unanswered Question
May 2nd, 2007
User Badges:

Hi,


I have a Cisco Pix Firewall Version 6.3(4) device. Below are the queries for which i need clarification,


1. Is there a possibility of determining traffic generated by "skype" ? Meaning, from the logs would one be able to determine if this is "skype" traffic or not ?


2. Is there something for firewalls similar to NBAR for routers ?


Thanks,

-S-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Tue, 05/08/2007 - 13:56
User Badges:

The PIX does not have the ability to perform deep packet inspection to the level needed to catch skype.

You could try to block UDP port 1247 and TCP ports 2940-3000 but if these ports are blocked, then skype uses 443 to tunnel out of the network to talk to the SN's (supernodes).


In order to effectively block skype, you must get down into the packet and start looking at the payload.


Here is what you have to do to block skype. You have to inspect the payload of the network (TCP, UDP) traffic. Otherwise, you cannot block Skype.


At login Skype sends a login message to the login server. The first two messages in that flow are:

Skype LS

0x1603010000 -> (5 bytes)

<- 0x1703010000 (5 bytes)


By blocking all incoming messages who have the signature 0x17030100, Skype is blocked.


Note that the first three bytes of client_key_exchange SSL message are

0x160301 which correspond to:

0x16: the message type is client_key_exchange

03 01: SSL version 3.1


Skype uses the SSL signature header for client to server message exchange. But for server to client message exchange, it uses a non-SSL based header. So by blocking packets that have this header (0x170301), one can effectively block Skype without blocking any other application.


The IPS module on the ASA can tag these skype packets and block them.


Actions

This Discussion