Detecting and Redirecting Relayed Skype Traffic

Skype is a peer-to-peer Internet voice application that has gained popularity through its low cost, high quality audio, and ease of use. Skype's design, intended for home users who are largely autonomous when it comes to the use of their machines and their Internet connection, is, however, largely inappropriate for its increasing use in the enterprise, where network resource allocation, information security, and other management tasks are the responsibilities of technical staff. Although most Internet applications and services are appropriate for home and business users alike---applications can be blocked, audited, or limited in resource consumption by devices---Skype subverts these techniques in an effort to ensure that it can be deployed ubiquitously. Innovation around Skype is difficult because the operation of the Skype client is obfuscated by encryption, both in the messages that transit the network and in the implementation of the software.

One of the more attractive aspects of Skype is its ability to work seamlessly behind NATs. Two users behind a NAT can use a third Skype node with public IP address as relay for their connection. Relays are selected automatically from computers with good bandwidth and performance measures and users cannot deterministically choose them. When Skype is used as a means of communication among the members of an enterprise, this may result in serious security concerns and resource allocation issues. Sensitive traffic between members of the same enterprise may take unsafe paths through the unsecured Internet while traffic between two Internet users may be inefficiently relayed by a computer within the enterprise.

We propose DRS (Detect and Redirect Skype), a simple and efficient tool to detect and redirect the relayed Skype connections that originate and end on the same side of the boundary of an enterprise. DRS uses packet matching and needs to see only one relayed voice packet before short-circuiting the relay; voice packets addressed to the relay will be forwarded directly to the other user.

Cristian Lumezanu
Neil Spring