How Skype Punches Holes in Firewalls

An anonymous reader writes "Ever wondered, how P2P software like Skype directly exchanges data — despite the fact, that both machines are sitting behind a firewall that only permits outgoing traffic? Read about the hole punching techniques, that make a firewall admin's nightmares come true."

Great article

[Nasarius (593729)]

I'm impressed, this is really good stuff. The article describes a general technique that can be used to trick most firewalls into believing that a UDP connection has already been established. Is this technique being used or considered by any P2P apps? I've run into the situation several times where I'm firewalled, and the only seeder of a torrent is too.

Re:

[BarkLouder (916884)]

The article describes a general technique that can be used to trick most firewalls into believing that a UDP connection has already been established.

There is no such thing as a "UDP connection". UDP is connection-less. TCP uses connections.

Re:Great article

[autocracy (192714)]

It is true that UDP is connectionless, but stateful firewalls do track UDP conversations as "connections." This is why, for example, DNS requests going out can be answered without unrequested inbound UDP traffic sent anywhere.

TCP over UDP

[John Sokol (109591)]

Once you have a bi-directional UDP packet exchange going, (it's not a connection like TCP) but it is in some sense an unreliable connection.

You can then route TCP over it (grab packets from /dev/tap or /dev/tun) , or use a user space TCP stack connection or use something like my ECIP (http://www.ecip.com/ [ecip.com]) over it.

Re:

[Opie812 (582663)]

+4 Insightful? How about "-1 RTFA, assface".

Re:Great article

[pilot1 (610480)]

Back when eDonkey was still fairly popular, I remember the lMule devs (GNU/Linux port of eMule) were aware of this technique and planned on incorporating it in lMule. BitTorrent became popular, lMule forked many times, and we never got around to it. I'm not aware of any current P2P apps that do it. The problem is that the technique, as they describe it, requires a central trusted server that both sides can connect to. With Skype that's fine, but it's a problem when you're dealing with something that's supposed to be entirely P2P. I don't remember this limitation, so either I have a bad memory or there's some way around it.

Re:Great article

[d3ac0n (715594)]

I would imagine that using the tracker server for this purpose would work. Obviously for "trackerless" torrents it would break again, but for standard tracker torrents it would probably work quite well. Couple it with torrent encryption and you have a very nice way to get around your college/work firewall.

Re:

[w128jad (643759)]

I'm impressed, this is really good stuff. The article describes a general technique that can be used to trick most firewalls into believing that a UDP connection has already been established. Is this technique being used or considered by any P2P apps? I've run into the situation several times where I'm firewalled, and the only seeder of a torrent is too.

I was impressed with this technique too. Perhaps the third party for a protocol such at bittorrent could use the seeders as UDP port mediators. It would b

Re:Great article

[_xeno_ (155264)]

The core BitTorrent protocol uses TCP, so the UDP technique the article describes won't work. (As far as I know, there's no corresponding technique for doing something similar with TCP.)

There's been a bit of work on various UDP protocol replacements for BitTorrent, but nothing that's really gained any cohesion that I'm aware of. So, when it comes to BitTorrent, no, there really isn't much work on making such a technique work.

There might be other P2P platforms that do attempt to do something like the technique described in the article, but the official BitTorrent protocol uses TCP and therefore can't use the technique.

Re:

[Score Whore (32328)]

TCP headers and UDP headers are quite different and a valid TCP header is not a valid UDP header. Bytes 5-8 of a TCP header are the sequence number. Bytes 5-6 of the UDP header are length, and 7-8 are the checksum. It seems unlikely that a UDP stack would be able to handle parsing part of a TCP sequence number as a length value.

Could you encapsulate a stream that acts like TCP inside of a stream of UDP packets? Sure. But it's not you can switch to a TCP stream as the predecessor post claimed.

Old news and incomplete as well

[Xenna (37238)]

I was impressed too when I read about it several years ago. Really, this is very old news. The P2P VPN tool Hamachi uses the same system.

AFAIK Skype uses a fallback system when the technique described doesn't work (where UDP traffic is blocked). In those cases it uses a well connected peer (yes, that could be your Skype client) to relay the voice data to the other party. Your PC becomes a Supernode without your knowledge and consent. Well, not really, coz this is in the Skype EULA:

4.1 Permission to utilise your computer. In order to receive the benefits provided by the Skype Software, you hereby grant permission for the Skype Software to utilise the processor and bandwidth of your computer for the limited purpose of facilitating the communication between Skype Software users.

http://computerworld.co.nz/news.nsf/news/7AB67323D 6305E49CC2570A1001698C0 [computerworld.co.nz]

What was it again? All your base belong to us?

X.

Re: Punching Holes in BT

[Crazy Man on Fire (153457)]

I know you can punch holes for bit torrent, at least if you are using Azureus, as long as you setup your router to port forward/trigger to a particular UDP/TCP port.

If you're setting up port forwarding in your router, the application isn't "punching holes" you're just opening up your firewall at the router...

Nothing new here

[Fenis-Wolf (239374)]

There's really nothing new, or special about this technique. Definately nothing to 'keep firewall admins up at night'. Its the same thing that Kazaa did, and Napster as well. Establish connection to a central server, central server informs each client of the others client ip address, each client connects out, NAT router sees outgoing connections to that host, and allows data in. Nothing new, or exciting.

Re:Nothing new here

[Rycross (836649)]

The OpenTNL library (a game networking library pulled from the Torque engine) does this too. I remember thinking it was pretty clever at the time.

Re:

[Tenareth (17013)]

You know it doesn't have to be new to be a security issue, right? There are mitigating controls, but at least 73% of companies don't actively control these protocols. (Granted, when you talk "companies" that includes small businesses, so the % may seem high to you)

But, as scary as it sounds... there are Fortune 1000 companies that don't actively control this attack vector.

Re:

[Chris Pimlott (16212)]

This is similar to the way FXP worked to let you transfer files directly between two FTP servers. You set passive mode and tell A to expect a file, and it says "okay, send it to a.a.a.a:aaa", then you turn around to server B and say "send me a file, I'm waiting at a.a.a.a:aaa".

Re:Nothing new here

[jfengel (409917)]

You're right that it's not new, but you're missing a crucial step. They need to exchange port numbers, not just IP addresses, via the central server (or at least one port number). Then they need to prime the firewall to pass connections through to that port by sending out a packet to the peer from that port, even though the final destination of that packet will be filtered out.

So it's not new, but it's still pretty clever.

DS

[an7ron (846004)]

I wish my nintendo DS did this, so I could play metroid at work.

Re:DS

[MyLongNickName (822545)]

I wish my nintendo DS did this, so I could play metroid at work.

And if you could disguise it to look like a cash register, your customers would have no idea you weren't ringing up their Happy Meal.

Re:DS

[GweeDo (127172)]

Um, if they worked at McDonalds they would already have free WiFi for DS gameplay.
See here [kotaku.com]

Oh come on.

[SatanicPuppy (611928)]

This isn't an exploit. If the admin's didn't want the firewall to forward ESTABLISHED/RESPONSE packets, they can take that capability out...One of the things I've always had issues with, with regards to commercial firewall software (e.g Zone Alarm/Windows Firewall) is that that capability usually ISN'T enabled, so I'm forever getting "APPLICATION IS TRYING TO CONNECT TO THE INTERNET" pop-ups.

If you're using a NAT with IPTables, it's trivial to tell it to drop packets on any port regardless of whether they'r

you have no clue

[RelliK (4466)]

If you're using a NAT with IPTables, it's trivial to tell it to drop packets on any port regardless of whether they're established or UDP.

And how are you going to receive replies if you tell it to drop the response packets?

The trick that this article points out is that UDP is connectionless, so even a stateful firewall will not know whether a packet is a valid reply or not. The only way to prevent this is to block UDP entirely.

Re:

[grasshoppa (657393)]

Generally, it's wise not to open your mouth unless you know what you are talking about;

The kernel firewall knows how to MASQ udp packets; There's a timeout associated with them. So if you get a random UDP packet that it doesn't have a matching connection for, it'll drop it.

The real problem is being an administrator for a network which doesn't block outgoing traffic.

Re:you have no clue

[SatanicPuppy (611928)]

Well, no, I suppose if you sent every packet from a UDP session to a different port, there would be no way of telling that they're all part of the same session, because you're right, UDP doesn't contain any tracking info.

The state table entry for a UDP packet, however, contains the source IP:port and the destination IP:port, and uses that information to "track" the exchange. So unless you just allow all UDP through the firewall, the state table keeps track of how often the destination ip responds, and if it doesn't respond within the timeout set in ip_conntrack_proto_udp.c at compile time, the system will terminate that connection, and require a "new" connection to be set up between those addresses. It also won't allow the destination port to be changed without a second "NEW" packet originating from the new destination port.

I agree it's not an "attack" as such. My original point was that it wasn't an exploit at all, in the sense that you are not able to break any existing rule using this method. If you allow UDP out, and UDP:Established in, then how can you complain that you end up accepting a bunch of UDP packets?

UDP *is* Connectionless; Apps might not be

[billstewart (78916)]

UDP is a Layer 4 protocol for transmitting packets between (Layer 5,6,or 7) applications - it doesn't have any concept of connection, state, or acknowledgements, either in the packet headers or in the protocol for what to do with those packets. By contrast, TCP creates a connection between the two endpoints, using the 3-way-handshake mechanism, window size management, acknowledgements, retransmit mechanisms, etc., and the connection has state (SYN sent, SYN-ACK received, N bytes still waiting to go into a window, FIN received, etc.)

The Applications may or may not create Layer 7 connections or maintain state. Most UDP applications do one of three things

• Do a simple one-packet response to a one-packet query - DNS usually works this way, and all the protocols like Echo and Daytime that got turned off due to packet-amplification attacks like smurfing work that way. The application doesn't maintain any state - it just answers your question and waits for the next one.
• Send a stream of packets, unacknowledged, which you hope will mostly be delivered. Voice and videoconferencing applications work that way - it's better to have an occasional static or screen glitch than to slow the whole thing down waiting a few hundred milliseconds for lost packets to retransmit, watching everybody's mouth move out of sync like a bad Godzilla movie.
• Provide a full-scale connection, emulating TCP badly at Layer 7. Applications that do this are usually designed for LANs, where they usually work, and they can get higher throughput with less CPU demand on the computer because the connections usually work and are have much lower latency and loss and higher bandwidth than the environments TCP was designed for.

  Some applications that look like this are really hybrids - they've gone to a lot of work to make sure they work fine in a stateless UDP environment, where packets might get lost or duplicated, and remote partners might go on and off line, such as remote file-system apps where the Layer 7 acknowledgement that Block 12345 has been written to disk is what the application needed to know anyway. Being stateless lets the app not have to keep track of which remote sites are currently reachable, and lets a server scale to handle lots of sporadic accesses. And sometimes the client app maintains state even if the server doesn't - the client knows it has 242344 more bytes to send to the server, but the server responds to each packet idempotently when it comes in and doesn't worry about the past or future.

• Genuine one-shot unacked messages - telemetry apps are often like this, and sometimes logging apps are as well. If you lose the message "It's 43.123 degrees at 12:24:14", there'll be another one soon saying "It's 43.122 degrees at 12:24:15" that's probably just as useful as doing an ack and retransmit.

Firewalls used to be manually configured for some protocols - you'd allow a UDP connection from 1.1.1.1:1414 to 2.2.2.2:2828 - and also support protocols statelessly - you'd allow ping responses, or TCP SYN/ACKs, but didn't explicitly track which responses were really from which connections. This was usually good enough for TCP, but fairly crude for UDP, since the Layer 4 protocol doesn't tell you state. Stateful inspection techniques let the firewall keep track of each exchange between two sites - you'll accept ping responses from 2.2.2.2 to 1.1.1.1 because you know 1.1.1.1 just sent a ping to 2.2.2.2, and you'll accept TCP packets from 2.2.2.2:443 to 1.1.1.1:12345 because you know 1.1.1.1:12345 did a TCP SYN to that 2.2.2.2:443 and haven't seen a TCP FIN or timed out the connection. They're simulating state, even for protocols that don't have connections or state at Layer 4, because applications usually have one or a series of packet exchanges even if they don't have state at Layer 7 (or only have state at one end.)

Re:you have no clue

[E++99 (880734)]

All these people maintaining that UDP is a "connectionless" protocol are baffling to me...How do you think NAT works? Do you think that it just forwards UDP packets everywhere, hoping that someone wants them? All connection information has to be maintained with NAT, or there is no point.

UDP is connectionless. NAT routers invent imaginary connections based upon the outgoing packets they see, and then close the imaginary connections after inactivity. It's not part of the protocol. It's a model that the router uses to block all packets except the ones that were presumably requested.

Re:

[jimicus (737525)]

Of course it's not. But a lot of it depends on how you run your firewall.

If it's "every packet trying to cross the firewall in either direction is blocked unless it comes from the web proxy or the mail server" then Skype will also be blocked anyhow.

If it's "any packet trying to come in is blocked, but if the connection was originally set up from inside the network, anything goes" (which seems to be the most common configuration), then Skype will work quite happily.

Confusing title

[neonux (1000992)]

From my understanding they're not talking about "hole-punching" firewalls but only about plain boring NAT traversal, which is anything but a new topic...

Re:

[Aadain2001 (684036)]

No, it is "punching" a hole in the firewall. While NAT transversal is similar to this technique, is works even if you are not using NAT (say, at an office). While it's nothing "ground braking" or really that new, it is (at least to me) interesting and probably is to anyone who isn't a network guru.

Re:

[SatanicPuppy (611928)]

It's not even "punching a hole", so don't think about it that way.

Many firewalls are set up to trust the computers on the inside, so if they make a connection out, the firewall allows that connection to persist by allowing packets that are a part of the internally originating conversation to come back through.

So basically, far from having "a hole punched through your firewall", you've basically invited an untrustworthy element through your security, and it's opening a window so it can pass information back

Why is this so bad?

[Salvance (1014001)]

I don't exactly think this is Skype being tricky, it's just having users establish connections and keeping them open for incoming calls. This is the same way that Instant Messaging services such as AIM work too. If the admins don't want those services enabled, they should inform their users and then block Skype IP ranges.

Slashdot, always bringing you the hottest news

[rbarreira (836272)]

While this is a cool technique, I had heard about NAT2NAT years ago... This is not a new technique, by any means.

Ever wondered

[spun (1352)]

Ever wondered, how to use, commas properly?

Re:Ever wondered

[CODiNE (27417)]

Don't tease, those, who have graduated, from the Shatner, School of Grammar.

Re:

[Peyna (14792)]

Not to mention how to properly use an em dash.

udp huh?

[minus_273 (174041)]

didnt know skype was UDP based. Most do wonders to the quality of the network. Esp if there are bugs in the protocol being used. I remember the standard project where you need to implement sliding window and AIMD on UDP to mimic behavior of the dominant TCP variety. I also remember what happened when some kids messed up and started flooding the network with packets.

Re:

[minus_273 (174041)]

I know why you wouldnt really need reliable transport on voice data due to the hard real time constraints. Im more concerned with the flow control. UDP has nothing it is just data blasted on the network. a buggy protocol on top of UDP and enough people using it will bring us back to the internet crash of the late 80s. Seems like not every one remember the internet becoming unusable. There is a reason why TCP was revised to behave the way it does today. The older TCP didnt really scale up well.

punching holes...

[joeldg (518249)]

Skype is starting to charge now, so that means everyone will be migrating to the next thing that is free.
I sort of miss the dialpad.com days.

Re:

[AndrewNeo (979708)]

They're not 'starting to charge', their free period is ending at the end of the year just like they said when they started it.

A Good Paper

[Al Mutasim (831844)]

Here is another good discussion (PDF): http://www.rootsecure.net/content/downloads/pdf/sk ype_protocol.pdf [rootsecure.net].

The answer...

[chill (34294)]

...is deep packet inspection. Instead of just letting packets thru based on "I'm just returning so-and-so's request", look to see what their payload contains and what type of stream it is. Yes, encryption can hide the payload. But, you can still prohibit non-SSH/HTTPS/SFTP streams from originating. If it isn't an approved protocol, make it go away.

Want to REALLY torque off the Skype guys? Let it thru, just add random packet delays to each UDP packet that goes out and comes in. A few ms each should do it. Their call quality will go to hell. Things like mail, web surfing, and other non-realtime protocols won't even notice the difference.

  Charles

Re:The answer...

[Zone-MR (631588)]

A few ms each should do it.

I'm pretty sure a few ms would be absorbed by the jitter buffer. Heck, 20ms jitter is often a normal occurance on long-distance WAN links.

Doh - STUN

[Tetard (202140)]

"Nightmare come true". What sensationalism. This is just STUN, which SIP communication devices can also use:

http://en.wikipedia.org/wiki/STUN [wikipedia.org]

Not exactly new

[Wannabe Code Monkey (638617)]

Oh man, this shit is a pain in the ass. I had to look into the over the summer. This is the same technique that Apple's iChat uses for audio and video calls. Many many p2p applications use this technique to get through firewalls and NAT routers. The problem is that it doesn't always work when both computers are behind their own NAT router.

Let's say Bob (as in the example in the article) is behind a NAT, his local ip he got from his router via DHCP is 192.168.1.2, and the public IP of his router is 2.2.2.2. He wants to use UDP port 2828 on his computer to transmit his voice data to Alice. So he sends out the first packed to 1.1.1.1:1414, as in the example. Now because of his NAT it looks like the data is coming from 2.2.2.2 and some arbitrary port (the router can't always use the same source port as the NATed computer because some other computer on the local network might already be using that port to connect to the outside world) lets say his router uses 3939.

Now Bobs router says, "Okay, I'll let through any UDP packets sent from 1.1.1.1:1414 to 2.2.2.2:3939 and I'll pass them on to 192.168.1.2:2828". As in the example, Alice's router will just drop this packet because there is no pre-existing connection from Alice's computer using this info. Then when Alice tries to send a packet to 2.2.2.2:2828 Bob's router drops it because his router isn't expecting traffic to this port. His router is expecting packets to go to port 3939. And Bob has no way of telling Alice which port she should actually be sending packets to since he doesn't even know which port his router decided to use on the public side to send out his packets.

You can get around this if only one computer is behind a NAT, or if you open up a persistent connection through your router to your computer. Anyway, I believe UPnP is supposed to help with this somehow, but I got so sick of it that I switched jobs.

Re:Not exactly new

[dgatwood (11270)]

Let's say Bob (as in the example in the article) is behind a NAT, his local ip he got from his router via DHCP is 192.168.1.2, and the public IP of his router is 2.2.2.2. He wants to use UDP port 2828 on his computer to transmit his voice data to Alice. So he sends out the first packed to 1.1.1.1:1414, as in the example. Now because of his NAT it looks like the data is coming from 2.2.2.2 and some arbitrary port (the router can't always use the same source port as the NATed computer because some other computer on the local network might already be using that port to connect to the outside world) lets say his router uses 3939.

Now Bobs router says, "Okay, I'll let through any UDP packets sent from 1.1.1.1:1414 to 2.2.2.2:3939 and I'll pass them on to 192.168.1.2:2828". As in the example, Alice's router will just drop this packet because there is no pre-existing connection from Alice's computer using this info. Then when Alice tries to send a packet to 2.2.2.2:2828 Bob's router drops it because his router isn't expecting traffic to this port. His router is expecting packets to go to port 3939. And Bob has no way of telling Alice which port she should actually be sending packets to since he doesn't even know which port his router decided to use on the public side to send out his packets.

Alice's computer should not be sending to 2828. It should be sending to the source port seen in the packets sent to the centralized server used for the rendezvous operation. Bob doesn't tell Alice anything. Bob sends a message to the central computer, which in turn, tells Alice something. The central computer DOES know what port Bob's router used because it can look at the source port on the UDP packet.

When a breakdown occurs (rare, but possible), it is not because of the difference between 2828 and 3939. It occurs because the router picked a -different- source port to use when sending packets to Alice than it did when sending packets to the central server. If the router does not consistently map port 2828 to 3939, but instead adds a secondary mapping from 2828 to 5050 when communicating with Alice's machine, the connection may fail. However, in order for a complete failure to occur (as opposed to simply requiring two or more packets to be sent and a little extra negotiation), one of the following must be true:

A. Both routers must be broken in this way. If this is the case, neither side can get a packet through to the other side.
B. One router must be broken in this way and the other router must alter the source port (reverse port masquerading) of inbound traffic.

If neither of these is true and Alice's machine is the one with the broken router, her router will use a different source port when communicating with Bob's machine that corresponds with the different destination port to which Bob's response must be sent. As long as Bob's router does not munge this, Bob's computer now knows how to send a message back to Alice, and a bidirectional communications channel should exist at that point.

I'm not saying that any of these services/protocols handle that extra bit of negotiation, of course, just that the problem isn't unsolvable unless both routers have a critical defect in their behavior.

You can do this with TCP too...

[sparr0w (902739)]

... but its a little more tricky. We figured this out during our senior design project (a video communications system) - all we had to do was have the server start a TCP connection to the client over static source and destination ports, trash the connection before reset/fin packets could be sent and then turn a server on the source port. The NAT we were using would then let an incoming connection come on through to the server. With UDP its a whole lot easier, but it still can be done with TCP as well.

Perl code

[sheriff_p (138609)]

Samy, the guy involved with the MySpace worm, wrote some Perl to do this a while ago:

http://samy.pl/chownat/ [samy.pl]

NAT behavior is not consistent

[lazzaro (29860)]

See: http://www.ietf.org/internet-drafts/draft-ietf-beh ave-nat-udp-08.txt [ietf.org] for a taxonomy of the ways NATs behave. The method described in the article won't work for all kinds of NATs.

News?

[Jahz (831343)]

Use of the procedure described above is not limited to Skype and is known as "UDP hole punching".

This sentence, which occurs in the last paragraph of TFA, should be further noted. The technique described here has been around for as long as NAT routers have been around (a very long time). Its fairly common knowledge/practice in network security circles. In fact, this was taught in my network security course last year. I think it was on the final as well... except we had to defeat a NAT router using TCP packets which is a slightly more tricky task.

On a tangent:
NAT routers are not really proper firewalls, though they have the side effect of keeping most attackers out. This is beacuse NAT was designed and implemented primarily for allowing multiple computers to utilize a single global address. They technically break the OSI stack by reaching past the link layer... and provide a bit less security than using vanilla iptables without modules. A more interesting exercise would be to describe the steps to defeat a firewall with stateful packet inspection.

Re:STUN?

[tjansen (2845)]

* It's the same as STUN, the article even mentions STUN at the end.
* STUN also supports "symetric" firewalls/NATs, I think that's not mentioned in the article. But no one uses them at home anyway, and I doubt that they are widespread elsewhere.
* SIP can use STUN (it's not required, but pretty common now).
* What the article does not mention: Skype can also mis-use HTTP proxys with HTTPS support to get through the firewall. That's the configuration that most companies have, and I hoped to get a bit more information about that in the article. But basically it will work similar to the common HTTPS tunnels (google for them if you don't know them), just Skype-specific instead of allowing arbitrary TCP connections.