Re: IP2P & Skype question

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



After doing some reading (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf) it looks like the only easy way to detect and stop Skype communications is through he connection to the Skype login server and treat the traffic coming from that host as if is Skype traffic. If you are wanting to classify Skype traffic I'm not sure how to help. However if you are just wanting to prevent Skype from being able to communicate on your network you may be able to look for the traffic that the Skype client sends to the Skype Login Server as it tries to login to the Skype network. I have a feeling that if you DROPed this traffic the Skype client would not be able to communicate with the Skype network and thus block this traffic. Any thing beyond this is going to be extremely difficult to block as Skype is a generational enhanced protocol from the developers of Kazaa and thus going to be very hard to stop. IMHO Skype will make blocking Yahoo Instant Messenger look easy. This is very scary to me, a network administrator. :( I have a feeling the real way to deal with this will be to write a Skype client that will connect to the network and find as many Skype Super Nodes as it can and add the IPs of the SNs as well as the corresponding port (as it is possibly dynamic) and add them to an IPSet via an external program. unfortunately this is something that will have to be maintained via a cron job or something else and thus not easy. I have a feeling that we are going to see more and more things like this on the net as more and more people are trying to fight security thus we SAs have to work harder and harder. If you try to make the world more idiot proof the universe will build a better idiot. The universe is winning.



Grant. . . .

Andreas Klauer wrote:
Okay. That's details about the protocol I have no clue about. If only one packet can be matched, I'd probably try to squeeze as much information out of this one as possible (source and destination address or whatever can be obtained) and then shape using this criteria. If you're lucky, you know this stuff beforehand, and can use static shaping/filter rules for that, otherwise you'll have to whip up a more dynamic solution.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux