digg

Facebook Connect Join Digg About

How Skype & Co. get round firewalls

heise-security.co.uk Ever wondered, how P2P software like Skype directly exchanges data -- despite the fact, that both machines are sitting behind a firewall that only permits outgoing traffic? Read about the hole punching techniques, that make a the firewall admins nightmare come true.

Who dugg this? Made popular Dec 16, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

50 Comments

show profanity settings
expand all
  • Tricky, on 10/12/2007, -11/+60O RLY?
  • deadbaby, on 10/12/2007, -0/+25I don't think it was intended to be ground breaking news but rather informational and educational to networking novices.
  • sockpuppets, on 10/12/2007, -2/+23My firewall is square, should I be concerned?
  • radu79, on 10/12/2007, -0/+16It would be kind of pointless to buy a cable modem if you have DSL..
  • alexvalentine, on 10/12/2007, -0/+14There is absolutely nothing new about this technique, there are many applications which use it, but keep in mind that it involves a third party, ie a central server.
  • Buelldozer, on 10/12/2007, -1/+14Agreed, this article is mostly hype. The technique is nothing new or overly clever. Skype can also be stopped by any firewall admin with half a clue.
  • mikev, on 10/12/2007, -2/+14I use a brick one
  • Johnyp, on 10/12/2007, -1/+13There is nothing unusual in this setup. It is not a nightmare for any network admin worth his salt since any traffic can be blocked if that's the goal. The idea with UDP is nice, but not new or special - this schema has been around for a while at it's nothing to write home about.
  • Takteek, on 10/12/2007, -0/+11@ramtech

    Except then the network would have to have a central server run by the company, and it would most likely get shut down. =(
    Good idea in theory though...
  • PaulOwen, on 10/12/2007, -0/+9There is a persistent rumour that Skype is difficult to block on a network.

    It isn't, despite the NAT traversal methods it uses.

    If you have strict egress filtering rules, you can block the SSL CONNECT method because Skype doesn't use fully qualified domain names to establish SSL connections. Really quite simple.

    http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038646.html

    Alternatively, you can simply block the process name on the connecting computer. Again, really quite simple.
  • Ramtech, on 10/12/2007, -3/+11They should do this with Bearshare, Limewire, and utorrent... :)
  • deadbaby, on 10/12/2007, -0/+6There is actually a UDP torrent tracker out there already. Dunno if anyone uses it or not...

    http://en.wikipedia.org/wiki/UDP_tracker
  • ArielMT, on 10/12/2007, -3/+9My problem is that my out-in-the-boonies DSL provider sold me a modem/NAT-router which routinely dies any time a STUN connection is attempted. It dies hard; the device must be power cycled in order to get connectivity back.

    Oddly, while it dies consistently the instant SIP is attempted, it handles Skype just fine.

    The modem brand, if anyone's interested in what to fear your DSL provider offering, is VisionNet by DQ Technologies, Inc.
  • Poco, on 10/12/2007, -2/+7This is nothing new. This has been done for years by other software and games to connect peer-to-peer through a firewall. There is nothing "scary" about this since both clients must be running the software to do this. This won't happen without your consent (consent being given when you run the software).

    This is based on how firewalls work and there is no "hole" other than the one that each user creates themselves. This is like saying that a web site is punching a hole in you firewall to get its content to your browser. No, your browser is punching a hole in your firewall to allow the web site content to come back, just as described in the article.

    The hard part is getting through the Port Address Translator if the router changes the ports from connection to connection (it must translate the port if you have multiple internal machines sharing one external IP so that multiple machines inside your LAN can use the same outgoing port). It gets more complicated if Alice's data comes from different ports each time it connects to a different machine.
  • 3Den, on 10/12/2007, -0/+4Two unrelated issues here.

    From a corporate network point of view, yes, us admins can control who can do what on the company's internet connection. There are various reasons why this may or may not be important to any given organization.

    This article, though, and the concept behind it have *nothing* at all to do with getting around corporate security.

    This technique is not about getting around intentional firewall restrictions, but about dealing with the unfortunate situation where communications could work easily except that both parties are firewalled. If either party was in the open, there would be no issue.

  • randomc0de, on 10/12/2007, -2/+5In theory, and well-thought out practice, everything. A competent admin can completely block traffic other than http/https going over port 80. It's not too hard to limit only whitelisted pages too. The problem is 90% of consumers buy a router that says "built in firewall" on the box and assume they're secure. NAT'ting is not firewalling. It acts in a similar manner but NAT acts like a firewall because it's a poorly thought through system, not because it was meant to secure anything.

    A decent article, but not much help if you already knew how this stuff works. The UDP thing is a bit creative though.
  • spudge, on 10/12/2007, -0/+3I have two issues with this article.

    1) Pretty much anything can be done through HTTP now anyway, though sacrificing a lot of speed, and requiring an external dedicated server.
    2) The article states that "UDP is not required for normal internet communication anyway - the web, e-mail and suchlike all use TCP", yet the DNS protocol uses UDP, and without DNS the web becomes worthless. Granted, usually the NAT handles the DNS, but still that comment should be qualified. And it does limit those computers that want to use their own list of DNS servers.
  • wadexyz, on 10/12/2007, -2/+5Despite the negative comments from the usual anals.....this article achieves it's goal of explaining this peer-to-peer technique to non-geeks, and is well done.
  • Markie1006, on 10/12/2007, -0/+3In certan industries (financial for instance) all conversations have to be recorded whether it is IM, email or voice.

    Your skype would be an unrecorded conversation from within the company - that is against the regulations and could bring heavy fines to the company for letting it happen.
  • rkuchiki, on 10/12/2007, -1/+3Now can someone explain why the Skype application runs a daemon on port 80?
  • alen3K, on 10/12/2007, -3/+5Read the comments on /. to see why they can't.
  • Outdoor83, on 10/12/2007, -0/+2Anyone looking for a really easy way to get NAT punching without any real work on your part? Windows SP1 w/Advanced Networking Pack, Windows SP2, Vista, and any Linux / BSD so configured can use Teredo (Miredo in *nix land), published in RFC4380 and this informative website:

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx
  • UltimaNut, on 10/12/2007, -0/+1...it didnt need the alarmist title though.
  • h0dg3s, on 10/12/2007, -0/+1Probably because port 80 is always open or else you wouldn't be on the internet? It has to listen somewhere.
  • digid, on 10/12/2007, -1/+2you can read about this technique more at:

    http://en.wikipedia.org/wiki/UDP_hole_punching
    http://en.wikipedia.org/wiki/STUN
    http://www.newport-networks.com/whitepapers/nat-traversal3.html
  • Xisting, on 10/12/2007, -5/+6How dare you heathens bury such an awesomely obscure reference to Multiplicity!
  • tempusrob, on 10/12/2007, -1/+2"what do some admins care if someone is talking to a friend on the phone?"

    Because if you want to talk to your friend on the phone, use your goddamn cell. That bandwidth is there for business.

    /yes, I'm a sysadmin
    //not a BOFH, but c'mon...
  • inactive, on 10/12/2007, -0/+1Hamachi uses the same technique to punch firewalls
  • netferret, on 10/12/2007, -0/+1if someone wanted to block it that much I'm sure you could get some DPI(Deep Packet Inspection) Hardware.
  • bugsy187, on 10/12/2007, -0/+1I'm glad someone appreciated the comment, Xisting. ;)
  • ArielMT, on 10/12/2007, -0/+1Aye, that it would. Besides, the nearest Office Depot is more than 110 miles away.
  • icheyne, on 10/12/2007, -0/+1The Security Now podcast explained NAT Traversal better than this.

    http://media.grc.com/sn/SN-042.mp3
    http://www.grc.com/sn/SN-042.htm
  • GoldYoshi, on 10/12/2007, -1/+2I think they do this with all of those, Ramtech. It's always worked for me on all of those without forwarding anything...
  • radu79, on 10/12/2007, -2/+2Most do (but usually not for file transfer).
  • smitting, on 10/12/2007, -2/+3the headline made it sounds like this was a big problem, but this seems perfectly reasonable to me. Two computers both requesting to talk each other, and the firewall lets it through. Doesn't makes intruders or worms able to do any extra damage, they'd have to already be inside the network to use the technique.
  • chryse, on 10/12/2007, -0/+0it is a very common protocol so they have high hopes it will be open on a firewall, you can disable this behavior in a setting in skipe, it is enabled by default of course and has bothered it me once or twice when stating IIS or apache, so disable it if it is bugging you.
  • narzy, on 10/12/2007, -2/+1I can configure a Cisco Pix Firewall in 5 lines to make skype history without effecting network performance and not touching other network services. It's all about the right hardware and education.

    "Sky is what makes a BAD firewall admins nightmare come true"
  • botmfeedr, on 10/12/2007, -1/+1Some admins appreciate this like Commvault.
  • inactive, on 10/12/2007, -5/+4a more important question is, what do some admins care if someone is talking to a friend on the phone? what's so fundamentally "unsecure" and bandwidth heavy in communicating over the internet. what's so amazingly "secure" and "normal" about 'web' to be allowed and not services like netphones.
  • Tyseyh, on 10/12/2007, -3/+1Oo interesting, wish i Understood most of it :P
  • dkoolaid, on 10/12/2007, -3/+1now why cant some IM clients do this.
  • jffotooz, on 10/12/2007, -3/+0Im sure this has been mentioned but this is this really a story? And is that really a security company....anything can be blocked...if you allow a service out, you are also allowing that service back in.... By their theory - web browsing does the same thing - I make my allowed outbound connection and I get data back...WOW...

    Any real firewall admin doesnt allow all outbound traffic...
  • alen3K, on 10/12/2007, -7/+4Since when Defender is also called a firewall ?
  • Urusai, on 10/12/2007, -8/+4Yah, any real sysadmin blocks everything except port 80, and drops every other packet on that just to be sure.
  • daldredge, on 10/12/2007, -7/+2When you grow up you will understand.
  • bugsy187, on 10/12/2007, -11/+5I got a wallet, Steve.
  • Settra, on 10/12/2007, -14/+7NO WAI
  • cosequin, on 10/12/2007, -12/+1you can buy a cable modem at office depot etc..., just check with the cable company.
  • livestradamus, on 10/12/2007, -12/+2WORD
  • Four20, on 10/12/2007, -25/+4does anyone else see this turning into a new target for hackers, and then in a year or two script kiddies

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.