Community discussions

MikroTik App
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

How To Block Skype

Fri Dec 10, 2004 2:13 pm

Skype will try to use random ports >1000 first, then port 80 (http), then port 443(https).

I know of no firewall rule that will match skype traffic, not even P2P-all works. So here is another way.

1. Use firewall to close all unused outgoing ports.

2. Setup http proxy to pervent port 80 from being abused

3. You will still have port 443 open, if you need to access secure web pages (https).
So how do you block skype from using port 443?

Skype needs 20kbps+ of continous bandwidth to support a VoIP call.

Use mangle rule to mark all port 443 traffic.
Example:
ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 dst-address=:443 protocol=tcp action=accept mark-flow=Port 443

Use queue tree, to allow traffic per user to only burst for only 15 seconds on port 443. https web access using port 443 will still work OK, but Skype calls will cut out after the 15 seconds of burst time.

Example:
queue tree> print
Flags: X - disabled, I - invalid, D - dynamic
0 name="queue1" parent=ether1 flow=Port 443 limit-at=0
queue=ethernet-default priority=8 max-limit=1000 burst-limit=100000
burst-threshold=6000 burst-time=15

If you do not want to proxy on port 80 you can also use the burst method, however any http file transfer will also cut out at burst timer limit.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Fri Dec 10, 2004 2:22 pm

why on earth would anybody want to block skype? it's like trying to kill public television. skype is a good thing :)
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Fri Dec 10, 2004 2:53 pm

Thats an easy one to answer.

Cost of providing an Internet connection via satellite is up to $10,000 per month for 1Mbps.
If everyone on that link uses skype then you will need 10 times this.

Now imagine you are in Africa and satellite is the only connection available, and you can only just find the monthly fee.

Just because you have access to a network, it doesn't follow that the bandwidth is all yours.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Fri Dec 10, 2004 3:01 pm

ok, good enough.

p.s.: it's hard for me to imagine this situation when at my house this morning, i saw an advert offering 100Mbits for ~ 12$ a month with no limitations whatsoever :D
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Sat Dec 11, 2004 12:12 pm

I could block skype on ports 80 and 443, if I could set firewall rules to only allow http or https on these ports. Anyone know how to match only these protocols on firewall ?

Another way to stop Skype would be on packet length,(skype packets are unusual lengths). I can do this with Cisco, but the function seems absent on Router OS. Any Ideas?
 
mp3turbo2
Member Candidate
Member Candidate
Posts: 196
Joined: Wed Jun 02, 2004 9:15 am

Sun Dec 12, 2004 8:34 am

\> I saw an advert offering 100Mbits for ~ 12$ a month with no limitations whatsoever

yeah, but this is for sure NOT GUARANTEED speed, not mentioning overseas connectivity - nobody's gonna sell you 100Mbit for $12. Local traffic? Yes, could be possible, shared bandwidth with 1000 of other users, because nobody will fully utilize 100Mbit. Also, how do you want to transfer that bandwidth? There has to be fiber to your house... and that's expensive. Etc, etc.

I just wanted to say that you are not going to transfer 100Mbit/sec / 8 = 12.5MB/sec * 3600 second * 24 hours * 31 days = 33480000 MB/month = 33480 GB / month = 33.5TB/month for $12.

Marketing, you know.

bye, mp3turbo.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Dec 13, 2004 10:13 am

yeah, but this is for sure NOT GUARANTEED speed, not mentioning overseas connectivity - nobody's gonna sell you 100Mbit for $12. Local traffic? Yes, could be possible, shared bandwidth with 1000 of other users, because nobody will fully utilize 100Mbit. Also, how do you want to transfer that bandwidth? There has to be fiber to your house... and that's expensive. Etc, etc.
yes, local latvian traffic. and it mostly is close tho this speed (i know some people who have these kinds of links. yes optic fibre to a house, and a 100mbit hub there.
 
User avatar
stephenpatrick
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri Aug 20, 2004 12:26 pm
Location: UK
Contact:

Mon Dec 13, 2004 12:33 pm

Well that makes our "broadband" cable and DSL in the UK look rather slow!

Sounds like these 100Mbit connections need a test: Normis, how about some Mikrotik boxes with you and a neighbour, run "bandwidth test" between them?

Couldn't resist asking ...
and would love to know if people really have such fast services.

Regards
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Dec 13, 2004 2:56 pm

this i going off topic :)

i can download 700Mb from a FTP server in about 3-5 minutes if I'm lucky. This also of course depends on what connection is on the other side etc. Well in latvia normal average download speed for anything, anywhere in latvia. is like 200-400KB/s (it's like for anyone, nothing special). connection to outside of latvia is 512Kb/s for me (depends on ISP)
 
mp3turbo2
Member Candidate
Member Candidate
Posts: 196
Joined: Wed Jun 02, 2004 9:15 am

Tue Dec 14, 2004 1:40 pm

> connection to outside of latvia is 512Kb/s for me (depends on ISP)

this is what you get for $12. Compare that to 1.5Mbit/s or slightly faster cable modems for $40/month - it is the same offer.

Once again : local, country, traffic is unlimited as there are local NIX/SIX/xIX internet exchange peering centers. That's it.

Don't expect miracle for $12. Just marketing.
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 986
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Tue Dec 14, 2004 2:01 pm

I have 2Mb/s guaranteed global traffic for $15/month :)
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Tue Dec 14, 2004 2:40 pm

OK guys, we can do it the short way:
How much room have you left at home for server racks ;)
 
rpingar
Long time Member
Long time Member
Posts: 593
Joined: Fri May 28, 2004 2:46 pm
Location: Italy

Tue Dec 14, 2004 11:19 pm

In Italy you should pay 1200EUR/month for 2mbit/s guaranteed.
:cry: :cry: :cry:
 
User avatar
stephenpatrick
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri Aug 20, 2004 12:26 pm
Location: UK
Contact:

Wed Dec 15, 2004 12:29 am

Ouch!
that's a lot of money -
You should definitely use MT radios or FSO wherever you can.

Stephen
 
hci
Long time Member
Long time Member
Posts: 674
Joined: Fri May 28, 2004 5:10 pm

Wed Dec 15, 2004 2:12 am

Cost of providing an Internet connection via satellite is up to $10,000 per month for 1Mbps.
If everyone on that link uses skype then you will need 10 times this.
Can't you just bill be the Gigabyte? Its the fairest way to everyone especially when the bandwidth is that expensive in that area.

Matt
 
ofasa
Member Candidate
Member Candidate
Posts: 102
Joined: Tue Jul 20, 2004 11:42 pm

Wed Dec 15, 2004 5:48 pm

Cost of providing an Internet connection via satellite is up to $10,000 per month for 1Mbps.
If everyone on that link uses skype then you will need 10 times this.
Can't you just bill be the Gigabyte? Its the fairest way to everyone especially when the bandwidth is that expensive in that area.

Matt
Or you could use a linux box with layer 7 filtering - http://l7-filter.sourceforge.net.

(Would be nice to see this in MT, be good for VOIP QOS!)
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Sat Dec 18, 2004 2:40 pm

Almost Back on topic at last!

Yes billing by the GB is also an option, but there is also a question of QoS.
Satellite bandwidth is typically very asymmetric. The in-routes (traffic coming back to the internet) are usually a small 20% of the out-route size (download). Sometimes this may be just 64 or 128kbps shared with several sites. This is sufficient for 100's of users who only want to browse and do a bit of e-mail (the Internet's main two applications). However, one Skype user can block an entire in-route for the duration of the call, Plus Skype has all that chatty stuff going on even when a call is not in progress. The in-routes could be upgraded to say 512kbps per site CIR. But the cost of providing this satellite bandwidth 24/7, you cant buy satellite capacity by the GB (i.e just pay for the bandwidth you use during the call) you have to buy transponder bandwidth month by month or Year by Year. This cost about $5000 per month per MHz and you need around 1.3 MHz per Mbps in each direction. Plus you would have to upgrade the satellite equipment; this also costs $1000's. Many remote communities in remote rural locations just could not afford the extra cost. So there is a choice. Nothing at all, or Internet and e-mail, but without unregulated VoIP. I think Skype are being very irresponsible in launching a free application with no simple way for network administrators to block it. Not all network operators are bad or greedy; they are simply trying to provide the best possible service to their customers at a reasonable cost, a cost that the customer can afford. Remember that Skype are in it for the money too, and by launching an application that is designed to evade control and regulation they will deprive many people in developing countries of low cost internet access. There are many places in the world where fiber and ADSL are yet to reach, In these locations the raw cost of internet access is 1000’s or 10,000’s of times more expensive. One hour of Skype = 35,000 text e-mails or 9 days surfing.

So If you know ways to BLOCK SKYPE, Please share them with this forum, you will be helping people in parts of the world where bandwidth is still very expensive.. People who will have their human rights and opportunities in life improved and enriched by simple low cost access to the Internet, Skype actually works against their interests.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Sat Dec 18, 2004 6:20 pm

I think Skype are being very irresponsible in launching a free application with no simple way for network administrators to block it. Not all network operators are bad or greedy; they are simply trying to provide the best possible service to their customers at a reasonable cost, a cost that the customer can afford. Remember that Skype are in it for the money too, and by launching an application that is designed to evade control and regulation they will deprive many people in developing countries of low cost internet access. There are many places in the world where fiber and ADSL are yet to reach, In these locations the raw cost of internet access is 1000’s or 10,000’s of times more expensive. One hour of Skype = 35,000 text e-mails or 9 days surfing.
Why not use wireless 900Mhz/2.4Ghz/5.8Ghz? It's easy to deploy, no infrastructure costs except at broadcast points and the CPE equipment is fairly cheap, and if you could get access to any kind of bandwidth it would be far superior to satelite, but if it's like you say and satelite's the only possible bandwidth, then you could use satelite as your backhaul and do traffic shaping before it hits your backhaul link.

In my experiences Skype uses ~30kbps on average while in a call and very minimal 0.5kbps ~ 5kbps when just idle. It's not a bandwidth "hungry" application, and when they built Skype one of their goals, continuing goals I might add, is to evade firewalls so Skype can be setup with little to no configuration. Skype uses a dynamic port for incomming connections and if it cannot connect on that port it will default to port 80. So the only possible way to attempt to block this application is to rip apart the packets to look at the Application level headers to find out what application the packet originated from. Someone mentioned a Layer7 Filtering program that would probably be worth looking into.

Like you said satelite is asymetrical, it wasn't meant to deliver highspeed broadband access and the latency is terrible. Maybe you should rethink your network infrastructure?
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Sat Dec 18, 2004 7:31 pm

What do you connect your wireless to if you are more than a few 10's of miles from the nearest internet POP?
In very rural areas, the only viable access is via satellite, many people are 100s if not 1000s of miles from fiber.. And fibre is only cheap in well connected locations i.e. more than one provider. Such as capital cities in Europe, USA and Asia.

People using Skype or VoIP on a well provisioned wireless network,, thats fine no problem and yes I can do packet shaping before the satellite, but still the same problem, lot of people wanting to use skype...Limmited bandwidth. For example 128kbps uplink will support 100+ WEB and e-mail users at a cost of a few $10s per month each. But if two of those users were to try and use skype, then the network will become congested and unusable.

You must realise that may countries don't even have access to fibre for their capital cities! let alone some remote village.

BTW,
Satellites are very effective for all communications (if expensive), IP (Internet) works very well if you have the right equipment, and know what you are doing.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Sun Dec 19, 2004 9:48 am

I'd setup a VERY conservative shaping policy for outgoing bandwidth. For all applications, not just skype. If you only have 128kbps available for uploads then i'd limit everyone to at the very most a 56kbps pipe, maybe 34kbps burstable to 56kbps? There are more applications that are a hell of a lot worse than skype as far as bandwidth usage goes (P2P networks come to mind, such as gnutella, KaZaA, bittorent, eDonkey, etc...) So I wouldn't be hell bent at blocking Skype because tomorrow it will be some other application that's eating up your upload bandwidth.

I'd also setup some strict firewall rules for outgoing connections, for known worm ports, and any other applications that you don't want running on your network and can successfully block by closing ports.

It sounds like you have a failing business plan, you set out to provide cheap internet services to your users, but didn't plan for adiquate bandwidth in your budget. If your users don't have a choice however, and you're the only provider, why are they complaining!?

FYI, there are users on this forum that have reported wireless links of ~50km using 5.8GHz equipment with throughput around 30mbps. If bandwidth is that far away you could setup a few relays and cover 100+ km easily (if the terrain is acceptable it all depends on AP placement). I have no idea as to how large an area you are trying to cover so this point may be null. If you're servicing multiple countries with users scattered around the globe then I'm sure this isn't feasable.

Don't take this as derogitory, or insulting. I'm just pointing out the obvious and trying to give some alternative solutions and constructive critism.
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Sun Dec 19, 2004 2:38 pm

Truth is the vast majority of the customers only want WEB and e-mail, and yes it isn't just Skype, it is all the others you mentioned and then some.

Satellite backhaul, and

We block all outgoing ports exept, SMTP, https, PoP3, ftp and http is via proxy. Skype we limmit by only allowing 30 second burst on port 443, and we block the web site and authentication servers, so it is almost dead anyway.

The business plan isn't failing, and I prefer the word inexpensive to cheap :-)

We did provide adaquate bandwidth in our budget for the intended applications, we make it quite clear that the service is only for web & e-mail and customers are happy with that. Problem is Skype (and all p2p) can cause havoc in such a network. It just takes one or two irisponsible users to spoil an otherwise valuble service for everyone. Just because we may be the only play provider in town, we still want to provide a fast, stable service to our customers.

Wifi backhaul just isn't an option, in many locations, even if you manage to span the 100's of km you will still have to pay for expensive bandwidth from the local telco.... try getting a connection in Niger or Mali for less than a few $1000 per Mbps per month, somtimes that still arrives via satellite anyway. Then there is interferance, Licencing issues (using wifi with 10's of dB gain just ins't permitted in may countries and the authorities will shut you down. Think about the installation work, you cant just get AC power up a mountain top in Agadez, sola power or generators requiered. And these people will steal your kit... well they have to eat don't they!

Facts are.
Wifi Backhaul isn't an option in many location
Satellite is the only option.
Satellite capacity is too expensive for everything except. WEB,e-mai,Messanger.

So to provide these services you need to Block all other applications: P2P, VoIP etc.

So thats get back on topic, accept it has to be done and find some creative was to to it.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Mon Dec 20, 2004 12:31 pm

you could try allot's bandwidth shaper the "NetEnforcer".. we are currently using it and it can detect P2P applications as well as every other protocol on the network and you can set those to DENY.. I'm not sure if it detects skype but they continually update the software for new protocols.

http://www.allot.com

Talk to one of their sales reps/engineers I'm sure they'd be able to confirm what it can and can't do for sure. I know it can do all the major P2P networks and bittorent.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Dec 20, 2004 12:43 pm

we are currently using it and it can detect P2P applications as well as every other protocol on the network
what's your point? RouterOS can do the same
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Mon Dec 20, 2004 12:52 pm

we are currently using it and it can detect P2P applications as well as every other protocol on the network
what's your point? RouterOS can do the same
That's true, RouterOS can do the same and is a hell of a lot cheaper.. I forgot about the bandwidth shaping side to RouterOS.... it's been a long day just got off a 5hr plane ride :/
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Mon Dec 20, 2004 1:05 pm

you could try allot's bandwidth shaper the "NetEnforcer".. we are currently using it and it can detect P2P applications as well as every other protocol on the network and you can set those to DENY.. I'm not sure if it detects skype but they continually update the software for new protocols.

http://www.allot.com

Talk to one of their sales reps/engineers I'm sure they'd be able to confirm what it can and can't do for sure. I know it can do all the major P2P networks and bittorent.
Hi ,
Thanks but I know that NetEnforcer can't yet detect Skype and they don't yet have a firm date as to when it will, They don't think that it will be in the Jan update. Much the same story with Cisco, packeteer and Ellocoya.
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Mon Dec 20, 2004 1:08 pm

Is anyone blocking Skype on packet length ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Dec 20, 2004 1:47 pm

as a personal note - i only hope that skype never gets blocked anywhere, this would only would kill a nice service. to me it sounds as illogical as blocking email. bandwidth problems can be solved with other means. sound almost like `violence is not the answer` :)
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Mon Dec 20, 2004 3:03 pm

But Operators own the network...not the end user, QoS, capacity, billing, and technical standards are the operators responsibility, control of the networ stops at your modem!

As an operator it is my choice what traffic to allow, If you don't like what your operator is doing fine... find yourself another operator.

I think Air-con is a cool thing to have in a car (sic), but I don’t go around campaigning all the manufactures to install it as standard, it’s their choice. If they see a market that can’t afford air-con, they are free to build a car that meets the needs and affordability of that market segment. Are you going to stand up and say to anyone, if you can’t afford air-con then you shouldn’t own a car?

If an operator can provide a basic Internet service at a reasonable price, to deeply rural locations on the conditions no VoIP, No Skype, No P2P. Isn't that better than no service at all?

This isn't about personal preferences, but technical constraints and hard economics.

Now please can we get back to a technical discussion.
Thanks.
 
Nick Kett
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Jun 30, 2004 8:32 pm

Mon Dec 20, 2004 3:06 pm

Skype will try to use random ports >1000 first, then port 80 (http), then port 443(https).

I know of no firewall rule that will match skype traffic, not even P2P-all works. So here is another way.

1. Use firewall to close all unused outgoing ports.

2. Setup http proxy to pervent port 80 from being abused

3. You will still have port 443 open, if you need to access secure web pages (https).
So how do you block skype from using port 443?

Skype needs 20kbps+ of continous bandwidth to support a VoIP call.

Use mangle rule to mark all port 443 traffic.
Example:
ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 dst-address=:443 protocol=tcp action=accept mark-flow=Port 443

Use queue tree, to allow traffic per user to only burst for only 15 seconds on port 443. https web access using port 443 will still work OK, but Skype calls will cut out after the 15 seconds of burst time.

Example:
queue tree> print
Flags: X - disabled, I - invalid, D - dynamic
0 name="queue1" parent=ether1 flow=Port 443 limit-at=0
queue=ethernet-default priority=8 max-limit=1000 burst-limit=100000
burst-threshold=6000 burst-time=15

If you do not want to proxy on port 80 you can also use the burst method, however any http file transfer will also cut out at burst timer limit.


Any know a better way to block Skype?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Mon Dec 20, 2004 3:09 pm

not bad, i think this is a very interesting approach. not complicated too
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Tue Dec 21, 2004 6:03 am

I still think if you setup your queues / bandwidth shaping strict enough that you could still use these applications without having to block them. If you're just guarenteeing basic web/pop/smtp services then these wouldn't be effected, email doesn't need a ton of bandwidth nor web for outgoing (just to resolve DNS and open the connection), so if you only allow users to burst to say 56kbps for very short periods of time and give them a CIR of like 16kbps. That way Skype could still be used however the Voice would cut out much like you suggested with your solution. However instead of just focusing on skype this would help with any future applications that may abuse outgoing bandwidth.

That way skype could still be used as an IM application and a little less configuration of your Mikrotik.... It'd probably clean up that upload link as well that way everyones not fighting over that 128kbps.
 
hci
Long time Member
Long time Member
Posts: 674
Joined: Fri May 28, 2004 5:10 pm

Fri Dec 24, 2004 7:25 am

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

http://www1.cs.columbia.edu/~library/TR ... 039-04.pdf

It may help to understand better how it works. By analyzing the startup and logon protocol you could likely figure out how to control or block it wity Mikrotik's content filtering.

Matt

Who is online

Users browsing this forum: Ahrefs [Bot], almdandi, marekm, pants6000 and 81 guests