The easiest (If their is one) way to do this might be to snoop the traffic from a client as it logs on and try to classify that.
I did make a feeble attempt to block this by snooping the login process and try blocking the IP's that the client tried to authenticate with, but after about 30, I realized I did not know how long the piece of string was and gave up.
I will need to look into the ethereal howto and see what I can find, unless anyone else has done this and had any form of success!!
Regarding yahoo messenger, I have not looked at this for a while. As I understood, it used a single outgoing port and if blocked - end of yahoo.... Or has this changed since I last looked?
Thanks for now.
Gary -
Taylor, Grant wrote:
After doing some reading (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf) it looks like the only easy way to detect and stop Skype communications is through he connection to the Skype login server and treat the traffic coming from that host as if is Skype traffic. If you are wanting to classify Skype traffic I'm not sure how to help. However if you are just wanting to prevent Skype from being able to communicate on your network you may be able to look for the traffic that the Skype client sends to the Skype Login Server as it tries to login to the Skype network. I have a feeling that if you DROPed this traffic the Skype client would not be able to communicate with the Skype network and thus block this traffic. Any thing beyond this is going to be extremely difficult to block as Skype is a generational enhanced protocol from the developers of Kazaa and thus going to be very hard to stop. IMHO Skype will make blocking Yahoo Instant Messenger look easy. This is very scary to me, a network administrator. :( I have a feeling the real way to deal with this will be to write a Skype client that will connect to the network and find as many Skype Super Nodes as it can and add the IPs of the SNs as well as the corresponding port (as it is possibly dynamic) and add them to an IPSet via an external program. unfortunately this is something that will have to be maintained via a cron job or something else and thus not easy. I have a feeling that we are going to see more and more things like this on the net as more and more people are trying to fight security thus we SAs have to work harder and harder. If you try to make the world more idiot proof the universe will build a better idiot. The universe is winning.
Grant. . . .
Andreas Klauer wrote:
Okay. That's details about the protocol I have no clue about. If only one packet can be matched, I'd probably try to squeeze as much information out of this one as possible (source and destination address or whatever can be obtained) and then shape using this criteria. If you're lucky, you know this stuff beforehand, and can use static shaping/filter rules for that, otherwise you'll have to whip up a more dynamic solution.
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
