Everyone knows our PITA Skype protocol, and its peer to peer obfuscated connections.
To identify the traffic, usually I used the L7 patterns found on protocol.info.
While sometimes it worked pretty fine, I noticed a lot of overmatch (mostly P2P downloads)
After an hardware failure (damn CF cards) i had to reconfigure a QoS, i thought a better way to identify Skype traffic..
I searched some info about Skype protocol and found this interesting presentation on blackhat.com site where the author hijacked the Skype network. At page 75, I found a interesting pattern of Skype connections which can be used to identify Skype traffic.
The very first UDP packet received by a Skype client will be a NAck
This packet is not crypted
This packet is used to set up the obfuscation layer
Skype can’t communicate on UDP without receiving this one
We can use this NAck packet to identify the peers, and mark the connections to that peer (at max 50kbps)..NAck packet: how does Skype know the public IP
1 At the begining, it uses 0.0.0.0
2 Its peer won’t be able to decrypt the message (bad CRC)
3 =) The peer sends a NAck with the public IP
4 Skype updates what it knows about its public IP accordingly
Identify the NAck packet
We know that the NAck packet size is 39 bytes and there should be our public IP from the 4th byte of the payload.
We need a customized L7 filter to match the 4th byte.
IE: my public IPs are 92.x.x.x and 213.x.x.x so my matching regex will be:
[\\|\xd5] [\\ = 92 | = or \xd5] = 213
Here's the ROS Rules:
/ip firewall layer7-protocol add name=skypenack regexp="[\\\\|\\xd5]" /ip firewall mangle add action=add-src-to-address-list address-list=skype address-list-timeout=1h chain=forward disabled=no layer7-protocol=skypenack packet-size=39 protocol=udp
Marking the Traffic
Mark the traffic from/to the fresh address list that don't exceed the 50kbit bandwidth usage (to not include the skype file transfers)
/ip firewall mangle add action=mark-connection chain=forward connection-rate=0-50k disabled=no new-connection-mark=conn_skype passthrough=yes protocol=udp src-address-list=skype /ip firewall mangle add action=mark-connection chain=forward connection-rate=0-50k disabled=no dst-address-list=skype new-connection-mark=conn_skype passthrough=yes protocol=udp /ip firewall mangle add action=mark-packet chain=forward connection-mark=conn_skype disabled=no new-packet-mark=skype passthrough=no