Think Skype traffic is easily detectable? No it's not, expert tester says

Think Skype traffic is easily detectable? No it's not, expert tester says

Summary:   ExtremeVoIP gave Art Reisman this weighty Sherlock Holmesian assignment- try to get under the hood of Skype and see how easy it is to detect and block. Or not.

SHARE:
TOPICS: Networking
4

sherlockholmesskype.jpg 

ExtremeVoIP gave Art Reisman this weighty Sherlock Holmesian assignment- try to get under the hood of Skype and see how easy it is to detect and block. Or not.

Chief Technical Officer of  APConnections, (known for thier NetEqualizer packet-shaper products) Reisman came more than qualified for the assignment. 

But guess what. He came away with the sense that Skype traffic is more difficult to block and detect than Skype's many detractors think it is.

Let's visit each of Art's points. I will indent his findings, and outdent my comments.

Skype calls are not self-evident from the detected stream. 

Skype calls appear to talk point-to-point when a call is finally set up and active. This activity I can see by setting up Skype calls in my laboratory. Of course I know beforehand what the two endpoints are, and therefore I can see the Skype traffic whizzing by on my sniffer. However, when examining the stream I failed to see any human discernible call set up, so without prior knowledge of a call being made I could never be certain if what I was seeing was a Skype call.

Next, Art says that Skype's apparently distributed topology masks key factors such as who has set up the Skype call.

Skype setup appears take place with a common broker, however the set up appears to have no intelligible human readable pattern. The setup portion of a Skype appears as just garbled goop. It appears that Skype uses a distributed topology where calls are set up from a number of various ever-changing brokers. If Skype used a common broker I could learn the IP address of that broker and hence I would know anybody talking to it is setting up a Skype call. But without a well known common broker, there is no generic way I can look for contact to a broker.

The mystery deepens. Art's not sure if the provisions he's described, as well as their effects, are deliberate or just a by-product of Skype's topology and design.

To date all my common tricks for determining VOIP traffic on the Internet have been thwarted by the Skype designers. I have no idea if this result was a deliberate attempt to thwart detection or just an unintended side effect of their design.

Art then signs off with what reads like a wish for someone at, or very close to Skype to clue us in on what's really going on here.

Perhaps a reader with inside knowledge will step forward and answer this and other questions. For now I have plenty on my plate, so I'll leave the mystery of Skype detection to my contemporaries.

Hey, let me broaden the circle here. Do you think Art's on to something? 

 

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • No problem

    Be an FBI agent with a subpoena, and the magic back door opens . . .
    Roger Ramjet
    • Wrong

      Even the FBI can't effectively grab a hold of IP traffic when it is constantly changing. The diff between what the FBI would be up to and what he's doing is trying to track the pattern of use... not the current endpoints.

      Unfortunately, since brokers constantly change, there is no way to track pattern of use unless you know to look for it beforehand.

      I'm actually building a peer to peer web app that does continuous broker negotiation just like Kazaa and Skype.

      Like this, it can't be effectively blocked when the data has been encrypted (that's the key, actually).
      kckn4fun
  • Hasn't it already been reverse engineered?

    Not sure if this presentation from Black Hat is still relevant, but it did outline ideas dor detecting and possibly neutering Skype traffic:

    http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf
    http://www.secdev.org/conf/skype_BHEU06.handout.pdf
    jls_z
  • skype blocking software under opensource?

    there is some opensource skype blocking solution which claims to be universal. It seems to imply that you can detect any kind of skype traffic, skypeout, skypein, etc. independently. It's pretty interesting, check there http://www.lynanda.com/products/software-for-corporations/traffic-filtering/lynanda-skype-filter
    It would be nice if other people could provide with their opinion on such software
    ergfopenbpoea