The key: blocking Skype authentication

We said that blocking a P2P protocol can be difficult, and this is very true. Fortunately, many P2P protocols rely on a initial login and/or peer discovery phase that use a predefined servers list. If you can identify and drop these initials, predefined peers, we can hinder the application from connecting to the network.

Skype is no exception. While it is true that data flow in a Skype chat/call is a client-to-client affair, the login system is, for obvious reasons, a centralized one. If we are able to block Skype logins, we can effectively deny any Skype use. So, how can we discover the hosts used for authentication? The answer is simple: with the help of tools as tcpdump or wireshark, we can see what is happening at the IP level. So, if we force Skype to use all its authentication methods (by means of a first drop-all rule), we can log which hosts it is using and then deny traffic to these specific hosts.

A Wireshark screenshot showing the first, UDP based Skype connection attempt

A Wireshark screenshot showing the first, UDP based Skype connection attempt

Using this procedure shows that:

  • when contacting centralized hosts for authentication purposes, Skype does not issue any DNS requests, so these IP addresses should be directly written inside Skype code / configuration; 
  • at fist, Skype attempt to authenticate to specific hosts via UDP packets with high destination ports; 
  • if this fail (eg: because UDP packets are dropped by a firewall), it try a similar approach with high TCP ports; 
  • if this also fail, it try an HTTPS connection to these hosts. 

It is quite easy to neutralize the first two attempts: blocking high UDP ports is generally possible without too much fear of false positive, while TCP blocking, albeit a more delicate thing, remain a manageable approach.

However, HTTPS blocking is more difficult: as many services are HTTPS-based today, you had to choice between to block any HTTPS connection and then manage a fairly large white list, or to generally enable HTTPS but specifically black-listing Skype hosts. While the first approach can be the preferred one for a number of reasons, for many system admin this isn't a viable choice.

After learning a little about how Skype works, we understand how to block it. The next page will show how to block Skype connections.