How to drop or block Skype connections with your gateway firewall

Written by Gionatan Danti on . Posted in Howto

User Rating:  / 19
PoorBest 

The key: blocking Skype authentication

We said that blocking a P2P protocol can be difficult, and this is very true. Fortunately, many P2P protocols rely on a initial login and/or peer discovery phase that use a predefined servers list. If you can identify and drop these initials, predefined peers, we can hinder the application from connecting to the network.

Skype is no exception. While it is true that data flow in a Skype chat/call is a client-to-client affair, the login system is, for obvious reasons, a centralized one. If we are able to block Skype logins, we can effectively deny any Skype use. So, how can we discover the hosts used for authentication? The answer is simple: with the help of tools as tcpdump or wireshark, we can see what is happening at the IP level. So, if we force Skype to use all its authentication methods (by means of a first drop-all rule), we can log which hosts it is using and then deny traffic to these specific hosts.

A Wireshark screenshot showing the first, UDP based Skype connection attempt

A Wireshark screenshot showing the first, UDP based Skype connection attempt

Using this procedure shows that:

  • when contacting centralized hosts for authentication purposes, Skype does not issue any DNS requests, so these IP addresses should be directly written inside Skype code / configuration; 
  • at fist, Skype attempt to authenticate to specific hosts via UDP packets with high destination ports; 
  • if this fail (eg: because UDP packets are dropped by a firewall), it try a similar approach with high TCP ports; 
  • if this also fail, it try an HTTPS connection to these hosts. 

It is quite easy to neutralize the first two attempts: blocking high UDP ports is generally possible without too much fear of false positive, while TCP blocking, albeit a more delicate thing, remain a manageable approach.

However, HTTPS blocking is more difficult: as many services are HTTPS-based today, you had to choice between to block any HTTPS connection and then manage a fairly large white list, or to generally enable HTTPS but specifically black-listing Skype hosts. While the first approach can be the preferred one for a number of reasons, for many system admin this isn't a viable choice.

After learning a little about how Skype works, we understand how to block it. The next page will show how to block Skype connections.

Comments   

 
#1 Akiv 2013-07-23 14:24
This was very helpful. I had to add some more ip ranges tracked through firewall. So far seems good.
 
 
#2 Gionatan Danti 2013-07-23 14:41
I'm glad to know that my suggestion worked for you :)

If you want, you can suggest us (via this comment system) the additional tracked IP ranges.

Thanks.
 
 
#3 Daniel 2013-10-14 21:42
This article here summarizes and quickly explains (what this article explains in detail)

Scroll to the bottom of the first page for instructions on how to do this!

http://forums.anandtech.com/showpost.php?p=35604779&postcount=11
 
 
#4 Yvonne 2015-05-22 15:27
Appreciate presenting this to everyone.
 
 
#5 Randy 2016-05-04 23:57
How do I block mobile devices from using Skype? This method only works for laptops and desktops. My iPhone and iPad with the Skype App works with this in effect.
 

You have no rights to post comments