Rob, Skype routes its login messages through a dynamic set of supernodes (SNs) => there is no fixed set of login server IPs to block. The bootstrap SNs are different for different clients and can be found in shared.xml.
There are some ad hoc tricks to block Skype traffic over UDP by blocking the NACK packet, for example [1]: /sbin/iptables ?I FORWARD ?p udp ?m length ??length 39 ?m u32 ??u32 '27&0x8f=7' ??u32 '31=0x01020304' ?j QUEUE However, Skype can work without UDP, so the trick is not sufficient to block Skype reliably. The work from Columbia mentions that it might be possible to block Skype by blocking TCP packets beginning with: 0x17 0x03 0x01 0x00. For more details, see the following: [1] http://www.secdev.org/conf/skype_BHEU06.pdf [2] http://www.eecs.harvard.edu/~mema/courses/cs264/papers/skype-infocom2006.pdf Regards, Oleg Kolesnikov -----Original Message----- From: ROB DIXON [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 17, 2006 11:06 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Skype & IPS vendor claims Has anyone, tried to connect and run ethereal to see where it is connecting? Does it change everytime? Unless the client updates its connection info everytime, in preparation for the next login, wouldn't the client always connect to the same host name or IP for the initial login? Does Skype own a block of public Ips? Block em all :-) I may be off track here. My wife tells me that all the time ;-) Robert L. Dixon, C|HFI State of West Virginia's West Virginia Office of Technology Infrastructure Applications Netware/GroupWise Administrator Telephone: (304)-558-5472 ex.4225 ------------------------------------------ If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke >>> Vladimir Parkhaev <[EMAIL PROTECTED]> >>> Quoting Matt Jonkman ([EMAIL PROTECTED]): > What these vendors may be doing it trying to block access to centralized > login or directory servers by known IP ranges... I don't know if that'll > be completely effective. > If I understand the protocol correctly, central servers are contacted only on a first run (after install). I(D|P)S systems can have sigs with IP addresses of those servers, but if user X installs Skype client on his corp. laptop at home... it doesn't help much. -- .signature: No such file or directory ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
