How Skype Punches Holes in Firewalls 215
An anonymous reader writes "Ever wondered, how P2P software like Skype directly exchanges data — despite the fact, that both machines are sitting behind a firewall that only permits outgoing traffic? Read about the hole punching techniques, that make a firewall admin's nightmares come true."
Nothing new here (Score:5, Insightful)
Confusing title (Score:5, Insightful)
you have no clue (Score:4, Insightful)
And how are you going to receive replies if you tell it to drop the response packets?
The trick that this article points out is that UDP is connectionless, so even a stateful firewall will not know whether a packet is a valid reply or not. The only way to prevent this is to block UDP entirely.
Doh - STUN (Score:2, Insightful)
http://en.wikipedia.org/wiki/STUN [wikipedia.org]
Re:Great article (Score:2, Insightful)
There is no such thing as a "UDP connection". UDP is connection-less. TCP uses connections.
Re:you have no clue (Score:2, Insightful)
The IPTables code would be:
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
This still wouldn't protect you from the "attack" described in the article, so to be truly secure, you should only allow outbound UDP on ports of your choosing.
Or you could just remove NAT for UDP:
iptables -A FORWARD -p udp --sport 1:10000 -j DROP
It's annoying, but it's hardly a "nightmare", and there a number of ways to keep your system secure, and to prohibit users from abusing your bandwidth with streaming applications.
Re:Nothing new here (Score:2, Insightful)
This is no more of an attack vector than any other program you allow to run on your internal network that you allow to connect to external sources.
Re:Great article (Score:5, Insightful)
The core BitTorrent protocol uses TCP, so the UDP technique the article describes won't work. (As far as I know, there's no corresponding technique for doing something similar with TCP.)
There's been a bit of work on various UDP protocol replacements for BitTorrent, but nothing that's really gained any cohesion that I'm aware of. So, when it comes to BitTorrent, no, there really isn't much work on making such a technique work.
There might be other P2P platforms that do attempt to do something like the technique described in the article, but the official BitTorrent protocol uses TCP and therefore can't use the technique.
Old news and incomplete as well (Score:5, Insightful)
AFAIK Skype uses a fallback system when the technique described doesn't work (where UDP traffic is blocked). In those cases it uses a well connected peer (yes, that could be your Skype client) to relay the voice data to the other party. Your PC becomes a Supernode without your knowledge and consent. Well, not really, coz this is in the Skype EULA:
4.1 Permission to utilise your computer. In order to receive the benefits provided by the Skype Software, you hereby grant permission for the Skype Software to utilise the processor and bandwidth of your computer for the limited purpose of facilitating the communication between Skype Software users.
http://computerworld.co.nz/news.nsf/news/7AB67323
What was it again? All your base belong to us?
X.
Re:you have no clue (Score:1, Insightful)
I'm sorry, but I'm just not comfortable with this statement.
When I send a UDP broadcast, do I then have a "connection" with each and every one of the machines that hears my datagram? If so, please tell me how I can enumerate each of these machines that I supposedly have a "connection" with.