Re: Blocking Skype on ISP level

[Florian Weimer <fw () deneb enyo de>]

* Jochen Kaiser:

> This can be achieved by using an IDP system and blocking the
> appropriate p2p protocol (I forgot which one. overnet?). 
> An IDP is a device which works with signatures as known from
> IDS-Systems and instead of reporting malicious activity
> it blocks packets or connections. Therefore it must be placed
> in your forwarding path.

The latter is not necessary if the targeted application uses TCP
connections or similar things which do not cryptographically secure
the connection against teardown by suitably spoofed packets.  However,
my experiments in this area indicate that a lot of clients try to
immediately reestablish connections, and bandwidth utilization goes up
significantly (although the application does not make forward
progress).

A compromise would be injection of IGP routes, to just route traffic
to suspicious targets through the device.  I'm not sure if such
products already exist on the market because considerable diligence is
required to avoid loops.

> At the moment, there are fast linux based appliances which are
> capable of forwarding a few hundred megabits depending on the
> ruleset. (It is worth to mention, that the bandwidth is not the
> problem here, but that you will get jitter and delays by using
> a forwarding device in software where asics/fpga should be used.
> So as an ISP who shall grant best quality for all customers the
> usage of a software based IDP may not be the appropriate way.
> For the end customer it may be the right choice.)

Are your lab results available to interested parties?  A medium-sized
research network is considering the installation of such devices for
all of its sites, and it could well be possible to resolve the legal
obstacles.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/