Every so often stores pop up about Skype being blocked in some country or the other, with some start-ups bragging how they did this. Now comes word that it is hard to detect Skype-packets. Russell Shaw points to analysis by Art Reisman, CTO of APconnections, a company that specialized in packet shaping technology. Reisman could not detect and block Skype traffic, which is contrary to claims of a Chinese service provider which used Verso’s technology. That claim has been upheld by an an independent agency. Aswath points out that numerous (successful) efforts have been made by others when it comes to identifying and blocking traffic. Last week there was also news of Skype texts being blocked in China, which I am guessing, is a different beast compared to detecting and blocking Skype voice communication packets.
I have personally tested a solution called “GTEN PreVent” ( http://www.gten.com ) which can fully block Skype traffic.
There is some analysis of Skype traffic available online. Two things make Skype block a possibility. First off, it is possible to block the central registration server of Skype and its supernodes, just blackhole the IP-ranges. A second possibility is to look for distinct traffic patterns. For this you don’t need to know the exact content of the traffic, but you can look for the sequence of bits. The following paper should give enough information to pretty effectively block Skype or at least to make it hard for normal end-users
http://www.cs.columbia.edu/techreports/cucs-039-04.pdf
Skype’s PSTN/mobile interconnects make banning and blocking of content easy, since the PSTN and the mobile network are notoriously insecure. No end to end encryption possible.
The people at U of Columbia have compiled an list of Skype analysis efforts, see http://www1.cs.columbia.edu/~salman/skype/
I find the study called “Skype Uncovered” by D. Fabrice particularly interesting, it even explains how to roll your own Skype client and create a Skype darknet.
Oops, sorry, the “Skype Uncovered” article is an old one. The really cool stuff is in: http://www.secdev.org/conf/skype_BHEU06.handout.pdf
The point isn’t really that it is impossible to block Skype traffic. You can, within a relatively small organizational unit (for example your home, your office or maybe your company). The problem is that if you try to scale that up to do it at the ISP level or country level, it’s pretty difficult because you have to look inside every single packet to look for the tell-tale signs to figure out if it’s a Skype packet or not. That is very processor-intensive and if Skype really wanted, they could make it even harder or maybe impossible. The quick and dirty method is to blackhole the registration servers, but that is only a short-term solution, because registration can be distributed to multiple clients, like everything else in Skype.
“First off, it is possible to block the central registration server of Skype and its supernodes, just blackhole the IP-ranges. A second possibility is to look for distinct traffic patterns.”
Both of these methods have been possible with ancient Skype versions. Recent Skype versions can not be blocked this way.
Antoin:
The author of the report is not talking about practical considerations. He just flat out claims that he can not detect.
He said he can’t detect it straightforwardly, but he doesn’t say flat-out that he definitely wouldn’t be able to detect it. According to the other research cited above, the signalling packets are just obfuscated, not really encrypted. He could look inside ’em if he really tried.
I think you are being charitable in your interpretation and I am being literal. Yes, the tile says that it will not be easy, but look at the text:
1. “… he tried — and failed — to detect and block traffic from Skype…”
2. “I have feigned a few efforts at blocking Skype only to retreat to fight another day after being soundly defeated.”
3. “However, when examining the stream I failed to see any human discernible call set up, so without prior knowledge of a call being made I could never be certain if what I was seeing was a Skype call.”
4. “The setup portion of a Skype appears as just garbled goop.”
If the author intended to put ease of detection as a condition, I would think some of the phrases would have been used differently.
Oh, well. It looks like Skype stealth will get into folklore, just as its NAT Traversal technique was/is considered to be unique (even though for the most part it was using widely used techniques).
But we should all step back, look at skype and say ‘wow’ now and again. I know I do. I grant you, there’s no one thing in it that is extraordinary in itself – decent voice compression – peer-to-peer – tunnelling over HTTP – NAT traversal – a decent user interface -. What’s amazing is that they’ve put it together in one package so beautifully, in a relatively short time. Skype made all this theoretical computer science was made available to the Internet surfer on the local wave in a simple pakage.
I think it is the number-one software achievement of this decade (and I’m sure I’ll regret having said that).
Now this is totally different. I do not have to say “wow”; let n million subscribers do that. But at least one person should challenge a claim that seems not to have been throughly researched. That is the original intent of this thread; greatness of Skype as an application was not.
Instead of concentrating on a single application (Skype) and trying to identify and block that traffic, you could apply a blanket solution that kills VoIP automatically.
Our telco incumbent does this for its DSL customers through:
There are also rumours that said telco is queueing up IP packets, keeping the sequential order but transmitting them at random intervals within a one-second period (so as not to break the specification). No-one’s been able to prove that yet though.
Thanks to the above, Skype is almost unusable on the incumbent’s DSL.
Aswath: fair enough, but hey, it’s the weekend.
Juha: it sounds like those guys have got it sorted. Screw up absolutely everything and Skype won’t work, brilliant. The only problem is that the rest of the service must be pretty crappy too. How can they go out and sell a service like that with a straight face?
Off-topic again but here’s my reason for the day why I think operators shouldn’t block skype. Skype Video. Maybe this is old news, I just tried it for the first time this week – it’s really great, but it is a little bandwidth intensive. I think that Skype video will create massive demand for symmetric high-bandwidth services. If the telcos have any vision, they will make a fortune out of people who want to have many high-quality video calls open at the same time. Your videoconf capability will be a sign of your wealth, the way your water supply was in roman times, or the depth of your carpet in the eighties.
Antoin: if you have a privatised monopoly, un-regulated despite over a decade of concern about the competition and competitivness being munted, why would you worry about the service sold being crap? That’s all there is. What are customers going to do? Use something else that… isn’t there?
It’s labelled as a “best-effort service” with zilch guarantees. The CIR is 24kbit/s per user and month. No comeback for customers legally either. So you pays yer dues and you gets whatever the incumbent feels like giving you.
What kind of bandwidth does Skype Video use? Not got around to trying it yet.
Can Skype be blocked?
http://peerwatch.witao.com/archives/24
From my experience, the technical answer to Can Skype Be Blocked? Maybe, Maybe Not is Definitely YES!
Generally, Skype traffic won’t be blocked by any China carrier at all. At least China Telecom HQ won’t make this silly decision. As far as what I know, what Verso and other Skype blockers’ China Telecom customers are just some small local telecom service providers and they get the chance to do some testing in the Lab by some ’guanxi’ in private. Verso magnified what they were doing in China for a wonderful PR and after all the testing result was quite poor. China Telecom is undeserved in Verso case.
China Telecom get its own strategy on information highway and VOIP, say Biz Navigate brand platform etc.
It’s seems pretty easy to block Skype these days. A company called Lynanda even provides an opensource software to block Skype and P2P on corporate networks or ISPs.
I tested the product and it works perfectly, telling you if people are doing skype2skype, skypeout or SIP, duration of calls, etc.
Check the software there:
http://www.lynanda.com/products/software-for-corporations/traffic-filtering/how-to-use-our-traffic-analyzer
Maybe it’s the end of skype now 🙁
Well, actually I can identify skype TCP and UDP packets of all types with a negligible processing overhead, good enough even for the largest ISPs. The question is, how much are they willing to pay for it?
first of all it is impossible to lose the f-35 they should make a new high tech machine to win the bottle