preventing skype traffic

Unanswered Question
Nov 6th, 2007

I want rto block skype traffic at all.

I have a choice of:

- Cisco router (870, which should handle Flexible Packet Matching)

- Cisco switch (cat6500 - sup720 and sup32 NOT PISA EQUIPPED)

- Cisco ASA 5520 (Modular Policy Framework)

Been playing with 870 and FPM at first, but it seem not to block newer (3.x) skype releases (TAC case is active).

Any Idea/hint?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
clausonna Wed, 11/14/2007 - 11:42

The last time I checked, NBAR can only recognize Skype v1.0, not the latest version which I believe is 3.0. Although I have my gripes about NBAR (quite often it just matches traffic on the source/destination port, and doesn't actually match on the payload. Kazaa is a good example), I think this is an issue with the way Skype is purposefully encrypting itself in order to evade detection.

For a while our IPS sensors were firing on the "OpenSSL TLS Malformed Handshake DoS" signature, and we concluded that was part of the initial Skype handshake.

Good luck

ibrunello Wed, 11/14/2007 - 14:19

Yes, Cisco states that skype NBAR only supports "skype version 1.4"

Checking for malformed HTTPS was something I though about; maybe will work out a solution, and post here...

Thank you for the hint.

azoulflak Wed, 11/14/2007 - 15:59

I think in order to completely block skype you need a combination of IPS, Firewall and Proxy (for ssl).

Because it is a very dynamic application that tries different method to connect(udp, http, https).



This Discussion