
How Skype gets round firewalls - known
http://www.h-online.com/security/features/print/82481
======
mustpax
The term firewall has been completely diluted. If the same thing had happened
to anti-virus software we'd be calling file extension based blockers anti-
virus agents.

Now, Skype's technique is quite interesting and clearly well executed. But it
underlines a fundamental problem with trying to glean protocol information
from port numbers and SYN packets. Similarly you can "reverse" SSH connections
to bypass incoming connection blockers on firewalls.

Besides, philosophically speaking, trying to allow one form of communication
but not another is a losing battle. Any communication channel can be used for
any purpose. People have been hiding small messages in bigger ones through
steganography for a long time. As long as I have friendly server on the
outside to reroute my traffic, there's very little you can actually do (Tor
anyone?).

Don't even get me started on NATs. Those things make IPv6 look like god's gift
to network engineers.

------
mixmax
Friis and Zennstrøm have been using this technology for longer than Skype has
existed, their previous venture, the filesharing application Kazaa, used this
approach as well and they built Skype on top of the network technology they
developed back in those days.

------
nikblack
The article is about how it negotiates NAT using forged UDP packets. What is
more interesting is how it actually gets past firewalls.

It exploits common default rules in firewalls. ie. to allow web surfing, a
firewall will allow port 80, but most of the time it will allow both outbound
and inbound 80, rather than just outbound. Skype will listen on a bunch of
common ports (80, 25, 110, 443, etc.) and blast out connection requests, and
then wait to see which port it actually receives a response on. It will also
fall back on using UPnP to find a way through - a protocol that is often
overlooked by network admins.

If you netstat while running skype, you will see it listening on a bunch of
ports. It often prevents a local web server from starting up. The way it does
this is a lot more interesting than the actual NAT punching - skype and kazaa
will almost always find a way in and out of a network and they are a pain to
block. Joost is also using the same tech stack.

~~~
jdbeast00
"ie. to allow web surfing, a firewall will allow port 80, but most of the time
it will allow both outbound and inbound 80"? outbound http traffic uses
ephemeral ports, not 80.

~~~
evgen
Outbound firewall rules almost never limit the source port, 99.99% of them
only limit the destination port. If party A can accept packets on port 80 then
almost any client out there can connect to the service on that port. The point
being made is that a lot of default firewall rules allow traffic to any port
80 destination and accept traffic from any source to the local port 80.

------
slavox
Hole punching firewalls is almost as old as NAT itself, but it's still really
useful.

Got HTTP access? Tunnel a command to the server over HTTP and punch the ports

Of course if someone simply disallows access to the skype servers it breaks
this approach, Or having a special NAT setup.

All and all hole punching is a cool subject.

------
snprbob86
Xbox LIVE uses a similar approach.

------
jemmons
By sanding down their corners until they're smooth?

~~~
coconutrandom
Hahah! Why so serious people? Tough crowd, eh?

