I have not really been around much at home the last few weeks, but I have been on test equipment for my Internet at home with Andrews and Arnold. Today while running through some tests with them I noticed a lot of traffic on my Internet line. Instantly flipping into the mode of “I must sort this” I started searching for clues about what’s going on with the traffic.
I closed all the connections I had open between home and work, and opened a fresh connection and started scanning the traffic, this was around 100 different IP’s all trying to talk to a single IP on my network. However, this was around 10AM, and the system in question (a laptop) had not even been at the house since around 8AM. knowing this, I started to scan the office network, and had the same traffic going to the same machine. This told me I had a machine that was part of a bot-net, so started searching for clue’s on the system without it connected to the network.
3 different virus scanners and 4 malware scanners later I was still scratching my head, and these had taken around 5 hours to complete. so I enabled some more network monitoring, and started monitoring traffic on the laptop at the same time, plugged in the network cable. Instantly all the traffic started again, and this time I had flags to tell me what programs were using this traffic on the system, which told me it was Skype. Closing skype, the traffic all went away.
I hunted around the internet for a short while, and there were not many clues as to a rogue skype client and after to a couple of people I found out that this is by design. Skype talks to everyone it possibly can, and peers calls through other people too. Skype then, have created a very large P2P network, saving them money on servers and bandwidth. Good for them…. maybe….
If you try and block Skype from accessing the Internet, it will use port 80 (HTTP) and 443 (HTTPS) – you can’t block these, as then you can’t browse the Internet. so there’s no real way of blocking Skype, short of blocking everything, or removing it from the system. So here’s where I’m at; Skype will gain access to the Internet by whatever means necessary (RFC2549?) it communicates with every possible other Skype client it can find, and is controlled at a central location (server). for those that don’t know – This is exactly the behaviour of a Bot-net.
some security implications;- this is where it gets slightly fun. Lets say you have Skype, and you wish to call your mum for a chat. Because of the way the system is designed, if there is a blockage on a direct route, it will peer through someone else (each sending and out-going connection to the Peer) let’s say I’m this Peer (and no, I don’t keep disconnecting your session – that’s another peer). So now you’re talking to your mum, and everything seems fine. But with the right software on my system, I can capture the packets that Skype is sending (which I did earlier today) I can then inject those packets into another application, and make it give me the audio from those packets, so I can listen to your conversation. I also have the IP Address of your system, and I have the IP Address of your mums system. I can now start scanning your system(s) to gain access to them, maybe there is a way to make a Skype client that will give me forced entry into your system if you try and peer through me, injecting your system with more virus’s. (This would require deep packet injection, and Skype should be protected against this – but who knows.)
The other issue, at least for me, is I am on a bandwidth limited network, Mostly through choice, I’m not a heavy bandwidth user, but I want lots of specific features. so people making calls through my network uses my bandwidth, which I’m then charged for.
Skype however has no way of turning this option off, it has a (hidden) way of turning it off being a Super-node, this doesn’t eliminate all the traffic, only some of it. and don’t think you’ll be OK because you have NAT – you’re not, and it might be harder to monitor where it’s going from & to.
At 2PM The traffic was still on-going at home. That’s 6 hours after the machine was removed from the network. so my ISP has now blocked all traffic coming to me on that IP Address (I have 30 Routable IP Address’s, and no NAT) I have bodged my DHCP Server to not give that IP to any systems on my network. and I will release all this in 2 days. I’m not talking a trickle of traffic, there was around 20KB/s, which might not sound a lot, but it soon adds up.
The Conclusion here, is Skype has been written to act in the same way that a virus / bot-net works. Will I ever use it again? no. and I will block all traffic to anyone’s laptop if they try and use it on any of the networks I manage. So if you’re coming over anytime soon, and want to have Internet access for more than a few minutes, I suggest removing Skype before connecting to my network. :-)