John Brightwell wrote: > Interesting analysis, clearly it's not as simple as looking for a known dst > port as this might be 80 or 443 but I don't think it would be impossible to > block... > I guess it depends how much reverse engineering the IPS developer has > conducted on Skype - there may be a limited number of login server IP > Addresses to look out for (maybe they maintain a watch for new servers) or > the login signature may be sufficiently unique for that to be blocked (i.e. > challenge response sequence, size of packets, some elements of the payload). > > If you do egress filtering, and the only way Skype can work is by going through your proxies, then you can block it.
As the supernodes Skype is trying to talk to are randomly assigned/change by the hour/etc, it connects to them via IP address instead of DNS name (as end-user supernode in some far-flung country doesn't have a DNS name for his/her DSL router). So if you configure your proxies to *not* proxy connections to IP addresses, then you can break Skype. However, there will be collateral damage, as there are other Web apps that run on raw IP addresses too -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
