The hole trick.... How Skype & Co. get round firewalls

The hole trick.... How Skype & Co. get round firewalls

Peer-to-peer software applications are a network administrator's nightmare. In order to be able to exchange packets with their counterpart as directly as possible they use subtle tricks to punch holes in firewalls, which shouldn't actually be letting in packets from the outside world.

Increasingly, computers are positioned behind firewalls to protect systems from internet threats. Ideally, the firewall function will be performed by a router, which also translates the PC's local network address to the public IP address (Network Address Translation, or NAT). This means an attacker cannot directly adress the PC from the outside - connections have to be established from the inside.

This is of course a problem when two computers behind NAT firewalls require to talk directly to each other - if, for example, their users want to call each other using Voice over IP (VoIP). The dilemma is clear - whichever party calls the other, the recipient's firewall will decline the apparent attack and will simply discard the data packets. The telephone call doesn't happen. Or at least that's what a network administrator would expect.
Punched

But anyone who has used the popular internet telephony software Skype knows that it works as smoothly behind a NAT firewall as it does if the PC is connected directly to the internet. The reason for this is that the inventors of Skype and similar software have come up with a solution.

http://www.heise-security.co.uk/articles/82481

Thanks cy - interesting article.

Jan

Thanks, cy; I have wondered about that too. It seems like they're cheating. I mean, their solution is too obvious. I had been imagining a much trickier one.

There was also an idea called "UPnP," standing for "Universal Plug & Play." I think that was just a way for the client to request a forwarded port from a NAT router, directly. It seems... dangerous... and useless unless everything is compliant. Anybody know if that ever took off?

P.S. (((Is this the right sub-forum for this?)))

yes most routers have upnp

zone alarm can setup most router based nat and firewall
systems when uPnP is turned on in the router and in windows

:rock:

amazing how intelligent skype acts when an open port is not available. performing port scans to find an open port to punch through. then if skype is still not able to connect, it then performs UDP hole punching. this uses skype's servers as a relay for packets. which of course results in additional time delays and more overhead for skype's servers.

http://en.wikipedia.org/wiki/User_Datagram_Protocol

I don't think Skype invented most of these methods. They go back to the early days of NAT and implementers used to untranslated TCP trying to get around the hassles that NAT imposed. See the comments on NAT at these links:

http://www.fourmilab.ch/speakfree/
http://www.fourmilab.ch/documents/digital-imprimatur/

Also: http://en.wikipedia.org/wiki/STUN

I am not understanding all of the technical details of this thread however I take it that this Skype Company is hacking peoples computers or something else that is bad.

Can anyone tell me if this method that Skype is using could somehow allow them to gain access to my Credit Card number if I had recently made an online purchase? I was recently contacted by my CC Company who advised an unknown person had used my card for several online purchases at the Company called Skype. This thread caught my attention as the name is the same and I wonder if this may be related to my recent case of a stolen CC number.

Same thing happened to me, Robo.

I check my credit card activity on-line and noticed an unauthorized $20 charge from skype.com.

I contacted the cc company and they closed that account and issued me a new card.

Marc

robo, they are two entirely separate issues. someone has stolen your credit card number and used it to buy time on skype.

highly unlikely skype was source of leak for your credit card information. anytime you purchase anything online, there's a chance for personal information to be compromised.

there's been several instances of credit card processing centers losing thousands of customer's information. naturally these companies will not disclose damage unless required by law. currently those laws are somewhat lax.

so your information could have been lost by one of those companies through no action of yours.

.

That article is pretty much nonsense. A firewall implementation (and I am talking of a firewall and not some 'hey-look-I-bought-some-does-everything-w/o-configuration-dsl-or-cable-router' here) usually consists of lots of technical stuff and an implementation of a "DENY-ALL, ALLOW-SOME" strategy somewhere on the way.

That is exactly where where some bogus UDP packets from some bogus computers on the network (how comes there is some unauthorized software in use anyway?) will be stopped, logged and the respective users will subsequently be, ahem, 'hunted down':devil:

The article only applies to people in charge of network security whose line of thought goes like 'Hey, why don't we get a firewall? Let's pick this one, it says it's 100% secure on the package, is cheaper than all the other ones and has more nice flashing lights!'.

don't remember seeing anywhere in article that states, skype could punch through any and all firewalls.

skype has been adopted faster than any other VOIP software that I'm aware of. it's enough of a success for someone to stump up billions $$ to buy.

article plainly stated this was a simplified overview of how things work.

of course some firewalls are setup tighter than others. to call this article "pretty much nonsense" is stretching it...

chrwe said:

That article is pretty much nonsense. A firewall implementation (and I am talking of a firewall and not some 'hey-look-I-bought-some-does-everything-w/o-configuration-dsl-or-cable-router' here) usually consists of lots of technical stuff and an implementation of a "DENY-ALL, ALLOW-SOME" strategy somewhere on the way.

That is exactly where where some bogus UDP packets from some bogus computers on the network (how comes there is some unauthorized software in use anyway?) will be stopped, logged and the respective users will subsequently be, ahem, 'hunted down':devil:

The article only applies to people in charge of network security whose line of thought goes like 'Hey, why don't we get a firewall? Let's pick this one, it says it's 100% secure on the package, is cheaper than all the other ones and has more nice flashing lights!'.

Click to expand...

cy said:

to call this article "pretty much nonsense" is stretching it...

Click to expand...

You are right. I went over the top there.

Still the article is wrong in many places.

1. It describes the way Skype initiates connections as ``subtle tricks''. It is not a subtle trick. It is knowledge of how most nat implementations work.
2. ``Increasingly computers are placed behind firewalls.''
   
   The author either has not read an introductory textbook to network security, or he can't remember about it too well, as what he calls ``firewalls'' (nat-devices) will not pass as firewalls. Even a look at the very short chapter about firewalls oft Tanenbaum's ``Computer Networks'' will help.
3. ``Ideally, the firewall function will be performed by a router...''
   
   He should go back to some introductory textbook again, as this design sure as hellfire is not anywhere near ``ideal''.
4. ``Naturally every firewall must also let packets through into the local network - after all the user wants to view websites, read e-mails, etc.''
   
   The Author really should learn about application level gateways.
5. ``The firewall must therefore forward the relevant data packets from outside, to the workstation computer on the LAN.''
   
   This usually is not the main job of a firewall.
6. ``But even here Skype is able to outwit the firewall.''
   
   Nah, it is not. Doing a portscan is not exactly 'outwitting'.

Now after bashing the article for so long, I will come to an end. Basically I am trying to say that the author tries to make his article sound dramatic from a network security point of view, when it is not the least bit dramatic.

Here are my claims:

1. The article describes Skype's way of initiating connections between two computers who are both behind a nat device pretty good.
2. The author mostly equates nat devices to firewalls. That is very wrong.
3. The author tries to make Skype's way of initiating connections look like some nifty trick to circumvent security measures. But there are no security measures to circumvent in the first place, it is just the behaviour of certain nat implementations.
4. People who aren't aware of this behaviour of nat implementations will usually be happy Skype works out of the box with their ``firewall''. They do not think "wohoo, how comes Skype works behind our ``firewall''?"
5. It is not a network administrators nightmare, as I have shown in my first post.

chrwe, trouble with describing technical topics is deciding who your audience is.

either you bore one crowd or lose the other one.

not a network admin, but an Oracle Architect. So network issues is part of my responsibility getting everything working.

today's mission critical systems are getting so complicated. there's no way one person can know it all. then factor in new technologies... simply staying current can be a battle within itself.

since skype is used by non-technical folks in general. it's better to dumb article down to say CIO level of presentation.

presenting technical details on an admin level would lose most of the audience

Yes, the article has some flaws, but it is still a good read.

In the company I work for, our firewalls must be working much better, since they block all Skype and VoIP (over the Internet) calls

Will