Hi, I am not sure if this is the correct destination for this email question, so if not, please can someone direct me to the correct mailing list / user. I need to detect Skype traffic using (I think it can be done) IP2P.on a RH Linux 2.4.20 kernel as well as the later fedora platforms. We have built it into your kernel, but are looking for some help in the matching parameters for skype in particular. Can anyone help me with anything to do with Skype and ip2p detection patterns. Thanks Gary --
On Monday 25 April 2005 15:08, Gary Smith wrote:> I need to detect Skype traffic using (I think it can be done) IP2P.What''s IP2P? I only know IPP2P, and I can''t find anything about Skype on the official homepage (www.ipp2p.org). It''s only for P2P filesharing networks. Maybe you could test Skype support of l7-filter and give the authors some feedback (http://l7-filter.sourceforge.net/protocols lists Skype as supported, but untested). HTH Andreas
I don''t think Skype works very well with any of these. I have tried the l7-filter pattern, with no luck. Apparently, the big problem is that Skype traffic is encrypted, and so it is not possible to match it using fixed patterns. In some cases, it is possible to block Skype, as the existing pattern seems to match an important, but not yet encrypted packet. Shaping is however not possible, as the matched packet makes up very little of the traffic. -justin Andreas Klauer wrote:> On Monday 25 April 2005 15:08, Gary Smith wrote: > >>I need to detect Skype traffic using (I think it can be done) IP2P. > > > What''s IP2P? > > I only know IPP2P, and I can''t find anything about Skype on the official > homepage (www.ipp2p.org). It''s only for P2P filesharing networks. Maybe > you could test Skype support of l7-filter and give the authors some > feedback (http://l7-filter.sourceforge.net/protocols lists Skype as > supported, but untested). > > HTH > Andreas > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
On Monday 25 April 2005 16:33, Justin Schoeman wrote:> In some cases, it is possible to block Skype, as the existing pattern > seems to match an important, but not yet encrypted packet.Okay. That''s details about the protocol I have no clue about. If only one packet can be matched, I''d probably try to squeeze as much information out of this one as possible (source and destination address or whatever can be obtained) and then shape using this criteria. If you''re lucky, you know this stuff beforehand, and can use static shaping/filter rules for that, otherwise you''ll have to whip up a more dynamic solution. HTH Andreas
Sorry it is IPP2P. I see the L7-filter looks like it might suite my needs a lot better. I have received a number of replies on my original request - all very useful. I have an open question with the IPP2P people over Skype and hope they get back to me. I read somewhere it can be used for detection Skype, but I am trying to find confirmation. I will go dig into the L7-filter stuff and see how I get on. Thanks Gary Smith Andreas Klauer wrote:> On Monday 25 April 2005 15:08, Gary Smith wrote: > >>I need to detect Skype traffic using (I think it can be done) IP2P. > > > What''s IP2P? > > I only know IPP2P, and I can''t find anything about Skype on the official > homepage (www.ipp2p.org). It''s only for P2P filesharing networks. Maybe > you could test Skype support of l7-filter and give the authors some > feedback (http://l7-filter.sourceforge.net/protocols lists Skype as > supported, but untested). > > HTH > Andreas >
After doing some reading (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf) it looks like the only easy way to detect and stop Skype communications is through he connection to the Skype login server and treat the traffic coming from that host as if is Skype traffic. If you are wanting to classify Skype traffic I''m not sure how to help. However if you are just wanting to prevent Skype from being able to communicate on your network you may be able to look for the traffic that the Skype client sends to the Skype Login Server as it tries to login to the Skype network. I have a feeling that if you DROPed this traffic the Skype client would not be able to communicate with the Skype network and thus block this traffic. Any thing beyond this is going to be extremely difficult to block as Skype is a generational enhanced protocol from the developers of K azaa and thus going to be very hard to stop. IMHO Skype will make blocking Yahoo Instant Messenger look easy. This is very scary to me, a network administrator. :( I have a feeling the real way to deal with this will be to write a Skype client that will connect to the network and find as many Skype Super Nodes as it can and add the IPs of the SNs as well as the corresponding port (as it is possibly dynamic) and add them to an IPSet via an external program. unfortunately this is something that will have to be maintained via a cron job or something else and thus not easy. I have a feeling that we are going to see more and more things like this on the net as more and more people are trying to fight security thus we SAs have to work harder and harder. If you try to make the world more idiot proof the universe will build a better idiot. The universe is winning. Grant. . . . Andreas Klauer wrote:> Okay. That''s details about the protocol I have no clue about. If only one > packet can be matched, I''d probably try to squeeze as much information out > of this one as possible (source and destination address or whatever can be > obtained) and then shape using this criteria. If you''re lucky, you know > this stuff beforehand, and can use static shaping/filter rules for that, > otherwise you''ll have to whip up a more dynamic solution.
Hi. Taylor, Grant wrote:> I have a feeling the real way to deal with this will be to write a > Skype client that will connect to the network and find as many Skype > Super Nodes as it can and add the IPs of the SNs as well as the > corresponding port (as it is possibly dynamic) and add them to an > IPSet via an external program.Good idea, but there is a problem: Skype uses a proprietary and closed protocol. This makes it hard to come up with a modified client like the one you''ve described, as long as you are not experienced with reverse engineering. Bye, Mike
> Good idea, but there is a problem: Skype uses a proprietary and closed > protocol. This makes it hard to come up with a modified client like the > one you''ve described, as long as you are not experienced with reverse > engineering.I never said that it would be easy. It''s just a proposed idea. I''m thinking I''m going to have to do something similar to this with Yahoo IM. Grant. . . .
Thanks Everyone who is participating in this discussion as it has thrown some interesting points and some quite scary ones.... The easiest (If their is one) way to do this might be to snoop the traffic from a client as it logs on and try to classify that. I did make a feeble attempt to block this by snooping the login process and try blocking the IP''s that the client tried to authenticate with, but after about 30, I realized I did not know how long the piece of string was and gave up. I will need to look into the ethereal howto and see what I can find, unless anyone else has done this and had any form of success!! Regarding yahoo messenger, I have not looked at this for a while. As I understood, it used a single outgoing port and if blocked - end of yahoo.... Or has this changed since I last looked? Thanks for now. Gary - Taylor, Grant wrote:> After doing some reading > (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf) > it looks like the only easy way to detect and stop Skype communications > is through he connection to the Skype login server and treat the traffic > coming from that host as if is Skype traffic. If you are wanting to > classify Skype traffic I''m not sure how to help. However if you are > just wanting to prevent Skype from being able to communicate on your > network you may be able to look for the traffic that the Skype client > sends to the Skype Login Server as it tries to login to the Skype > network. I have a feeling that if you DROPed this traffic the Skype > client would not be able to communicate with the Skype network and thus > block this traffic. Any thing beyond this is going to be extremely > difficult to block as Skype is a generational enhanced protocol from the > developers of Kazaa and thus going to be very hard to stop. IMHO Skype > will make blocking Yahoo Instant Messenger look easy. This is very > scary to me, a network administrator. :( I have a feeling the real way > to deal with this will be to write a Skype client that will connect to > the network and find as many Skype Super Nodes as it can and add the IPs > of the SNs as well as the corresponding port (as it is possibly dynamic) > and add them to an IPSet via an external program. unfortunately this is > something that will have to be maintained via a cron job or something > else and thus not easy. I have a feeling that we are going to see more > and more things like this on the net as more and more people are trying > to fight security thus we SAs have to work harder and harder. If you > try to make the world more idiot proof the universe will build a better > idiot. The universe is winning. > > > > Grant. . . . > > Andreas Klauer wrote: > >> Okay. That''s details about the protocol I have no clue about. If only >> one packet can be matched, I''d probably try to squeeze as much >> information out of this one as possible (source and destination >> address or whatever can be obtained) and then shape using this >> criteria. If you''re lucky, you know this stuff beforehand, and can use >> static shaping/filter rules for that, otherwise you''ll have to whip up >> a more dynamic solution. > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
> Regarding yahoo messenger, I have not looked at this for a while. As I > understood, it used a single outgoing port and if blocked - end of > yahoo.... Or has this changed since I last looked?This must have changed as Yahoo will try to connect 4 different servers on 8 different ports for basic IM use. If you want to use other features like the webcam, file shareing, or voice chat there are different servers and different ports that your client will connect to. Take a look at http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you want to see Yahoo''s definition of what the client does. I wrote a RegEx of the various host names that Yahoo will connect to, "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com". If I could implement a match in DNS for this RegEx I would do so to prevent computers on my networks from finding things. Grant. . . .
Taylor, Grant wrote:>> Regarding yahoo messenger, I have not looked at this for a while. As I >> understood, it used a single outgoing port and if blocked - end of >> yahoo.... Or has this changed since I last looked? > > > This must have changed as Yahoo will try to connect 4 different servers > on 8 different ports for basic IM use. If you want to use other > features like the webcam, file shareing, or voice chat there are > different servers and different ports that your client will connect to. > Take a look at > http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you > want to see Yahoo''s definition of what the client does. I wrote a RegEx > of the various host names that Yahoo will connect to, > "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com". > If I could implement a match in DNS for this RegEx I would do so to > prevent computers on my networks from finding things.What fun it must be being a netadmin - what don''t you want to block, by which I mean wouldn''t it be easier to block everything and run squid/mail server. Andy.
Andy Furniss wrote:> > Taylor, Grant wrote: > >> Regarding yahoo messenger, I have not looked at this for a while. As I > >> understood, it used a single outgoing port and if blocked - end of > >> yahoo.... Or has this changed since I last looked? > > > > > > This must have changed as Yahoo will try to connect 4 different servers > > on 8 different ports for basic IM use. If you want to use other > > features like the webcam, file shareing, or voice chat there are > > different servers and different ports that your client will connect to. > > Take a look at > > http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you > > want to see Yahoo''s definition of what the client does. I wrote a RegEx > > of the various host names that Yahoo will connect to, > > "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com". > > If I could implement a match in DNS for this RegEx I would do so to > > prevent computers on my networks from finding things. > > What fun it must be being a netadmin - what don''t you want to block, by > which I mean wouldn''t it be easier to block everything and run > squid/mail server. > > Andy.Yes, I too have been reading these things asking myself why one would allow users such open access. One reason, of course, is that it is difficult to allow some http but not other, so if the port is 80, it pretty much has to be OK. So how would squid (or anything else except perhaps Level 7) know that this particular connection is A Bad Thing? I have been successful at limiting the number of FTP connections per user using iptables'' connlimit and helper. That''s where I''d start. And if three turned out to be too many, I''d reduce connlimit to 2 for HTTP and 1 for FTP. iptables -N HTTP iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A HTTP -j RETURN iptables -A FORWARD -p tcp --dport 80 -j HTTP iptables -A FORWARD -p tcp --sport 80 -j HTTP iptables -A FORWARD -m helper --helper ftp -j HTTP In conjunction with my ACL (posted here a while back; it limits specific users to specific ports), the above would not be total deny, but it sure would put a dent in abuse. gypsy
> What fun it must be being a netadmin - what don''t you want to block, by > which I mean wouldn''t it be easier to block everything and run > squid/mail server.Yes, it *IS* *MUCH* easier to block everything and only allow out the traffic that you want. Unfortunetly *MANY* of my clients will not let me do that as they don''t see any security problem(s) in what they presently have. It is my job (consultant) to enlighten my clients to the potential problems that do exist and to prevent / fix them to the best of my ability on their networks. I am a Consultant / Systems Administrator for a small company with many clients (circa 50) with an email user base of something around 300 on my main mail server (mostly my client''s email). I have to run my network at the office and the networks at my clients. I have any thing ranging from DOS 6.22 & 98 clients on Novell NetWare 4.11 IPX / IP networks, to M$ Windows 2000 with 2k and XP clients, to unix networks. I get the gauntlet and thus have to deal with a LOT of crap. Grant. . . .
> Yes, I too have been reading these things asking myself why one would > allow users such open access. One reason, of course, is that it is > difficult to allow some http but not other, so if the port is 80, it > pretty much has to be OK. So how would squid (or anything else except > perhaps Level 7) know that this particular connection is A Bad Thing?One word, er name, Squid (Caching Proxy). Squid is *WONDERFUL* Squid has saved my life *SO* many times. The ACL system, though difficult to understand at first, is extremely flexible and easy to work with once you get down Squid''s syntax. I can easily define an ACL as such: acl my_acl_name dstdomain .domain_I_dont_like.tld http_access deny my_acl_name Squid works completely inside of the HTTP (layer 7) protocol, or FTP protocol, or many other protocols. These are just some of the benefits of using an application layer gateway.> I have been successful at limiting the number of FTP connections per > user using iptables'' connlimit and helper. That''s where I''d start. And > if three turned out to be too many, I''d reduce connlimit to 2 for HTTP > and 1 for FTP. > iptables -N HTTP > iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP > iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A HTTP -j RETURNIf the traffic that you are trying to connlimit is internal to your LAN I would recommend that you REJECT the traffic as this will prevent the client user agents from having to time out.> iptables -A FORWARD -p tcp --dport 80 -j HTTP > iptables -A FORWARD -p tcp --sport 80 -j HTTP > iptables -A FORWARD -m helper --helper ftp -j HTTP > > In conjunction with my ACL (posted here a while back; it limits specific > users to specific ports), the above would not be total deny, but it sure > would put a dent in abuse.Grant. . . .
Hi Guys, Apologies for the off topic question here. I have been trying to find out if its possible to zero the counters in the ifconfig listing per interface on a linux box. I have read that this can only be done if you pull down the interface, unload the driver and reload. Can I make a request to someone either writing the kernel or maybe its the driver developers for the lan cards to make this available for debugging purposes. I find it frustrating when I am trying to monitor collisions/errors etc from the command line on remote systems without interfering with the interface. I guess my question is who should I ask (wish list) for this. Kernel developers or the driver writers for the associated lan card? BTW: I have been following the Skype pattern threads and will be testing shortly once my collegue gets an iptables built and working. Gary