April 20th, 2006
Think Skype traffic is easily detectable? No it's not, expert tester says
ExtremeVoIP gave Art Reisman this weighty Sherlock Holmesian assignment- try to get under the hood of Skype and see how easy it is to detect and block. Or not.
Chief Technical Officer of APConnections, (known for thier NetEqualizer packet-shaper products) Reisman came more than qualified for the assignment.
But guess what. He came away with the sense that Skype traffic is more difficult to block and detect than Skype’s many detractors think it is.
Let’s visit each of Art’s points. I will indent his findings, and outdent my comments.
Skype calls are not self-evident from the detected stream.
Skype calls appear to talk point-to-point when a call is finally set up and active. This activity I can see by setting up Skype calls in my laboratory. Of course I know beforehand what the two endpoints are, and therefore I can see the Skype traffic whizzing by on my sniffer. However, when examining the stream I failed to see any human discernible call set up, so without prior knowledge of a call being made I could never be certain if what I was seeing was a Skype call.
Next, Art says that Skype’s apparently distributed topology masks key factors such as who has set up the Skype call.
Skype setup appears take place with a common broker, however the set up appears to have no intelligible human readable pattern. The setup portion of a Skype appears as just garbled goop. It appears that Skype uses a distributed topology where calls are set up from a number of various ever-changing brokers. If Skype used a common broker I could learn the IP address of that broker and hence I would know anybody talking to it is setting up a Skype call. But without a well known common broker, there is no generic way I can look for contact to a broker.
The mystery deepens. Art’s not sure if the provisions he’s described, as well as their effects, are deliberate or just a by-product of Skype’s topology and design.
To date all my common tricks for determining VOIP traffic on the Internet have been thwarted by the Skype designers. I have no idea if this result was a deliberate attempt to thwart detection or just an unintended side effect of their design.
Art then signs off with what reads like a wish for someone at, or very close to Skype to clue us in on what’s really going on here.
Perhaps a reader with inside knowledge will step forward and answer this and other questions. For now I have plenty on my plate, so I’ll leave the mystery of Skype detection to my contemporaries.
Hey, let me broaden the circle here. Do you think Art’s on to something?
Russell Shaw is an enterprise computing journalist, analyst and author based in Portland, Oregon. See his full profile and disclosure of his industry affiliations.
