L7 pattern for Skype
-
Since so many are interested in L7 patterns to identify Skype traffic (some to block it, others to prioritize it), I thought this might be of interest:
pattern which can be used to identify Skype traffic, from http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf:
The very first UDP packet received by a Skype client will be a NAck
This packet is not crypted
This packet is used to set up the obfuscation layer
Skype can’t communicate on UDP without receiving this oneNAck packet: how does Skype know the public IP
1 At the begining, it uses 0.0.0.0
2 Its peer won’t be able to decrypt the message (bad CRC)
3 The peer sends a NAck with the public IP
4 Skype updates what it knows about its public IP accordinglyFor more check http://forum.mikrotik.com/viewtopic.php?f=9&t=45209
-
Hi,
thanx for the info. I am searching for a good solution to block skype in our network. I don´t understand how to integrade it in L7. Can you help?
Regards, Valle