The Future of Traffic Detection and Classification
With the increased deployment of high-speed (“broadband”) Internet connectivity, a growing number of businesses and individuals are using the Internet for voice telephony. The proprietary VoIP system that is having the most dramatic impact on carriers’ revenue streams and network security is Skype. It uses a unique peer-to-peer technology, making it especially challenging for carriers to identify, classify and manage associated traffic.
Skype: New Communication, New Concerns
Many enterprise IT managers fear the introduction of Skype onto their networks. Both Skype’s vulnerability to hackers, either for the purposes of eavesdropping or virus launching and the amount of bandwidth it could potentially consume are issues that could have a far-reaching impact on not just the enterprise network, but the telecom carrier as well.
Security
In line with the claims of its creators, Skype appears to encrypt or otherwise scramble information that is transmitted over the Internet. Although it is generally accepted that Skype is secure against casual snooping, it is not clear how it would fare against sophisticated attackers.
The security of any data sent over an encrypted connection depends upon many factors, including the specific encryption algorithms used and how encryption keys are chosen or exchanged (known as key management). Also of critical importance is the protocol that employs the algorithms, and how well both the algorithms and protocols are implemented. An analysis of the packets sent between Skype clients indicates that a combination of protocols appears to be used for actions such registering oneself on the network, searching for other participants, or making a voice telephone call.
Skype claims that its system employs RSA’s encryption for key exchange and 256-bit AES as its bulk encryption algorithm. However, Skype does not publish its key exchange algorithm or its over-the-wire protocol. Despite repeated requests, Skype refuses to explain the underlying design of its certificates, authentication system, or encryption implementation. It is therefore impossible to validate the company's claims regarding encryption. A poor implementation of the RSA algorithm could provide encryption, but no actual security.
In order to avoid detection, many peer-to-peer applications, including Skype, change the port that they use each time they start. Consequently, there is no standard "Skype port” like there is a "SIP port” or "SMTP port.” In addition, Skype is particularly adept at port-hopping with the aim of traversing enterprise firewalls. Entering via UDP, TCP, or even TCP on port 80, Skype is usually very successful at passing typical firewalls. Once inside, it then intentionally connects to other Skype clients and remains connected, maintaining a “virtual circuit.” If one of those clients happens to be infected, then the machines that connect to it can be infected with no protection from the firewall. Moreover, because Skype has the ability to port-hop, it is much harder to detect anomalous behavior or configure network security devices to block the spread of the infection.
"Skype: New Communication, New Concerns..."
Supernodes
Like its file sharing predecessor Kazaa, Skype employs an overlay peer-to-peer network. There are two types of nodes in this overlay network, ordinary hosts and super nodes. An ordinary host is a Skype application that can be used to place voice calls, send text messages, etc. A super node is an ordinary host’s endpoint on the Skype network, meaning that any ordinary host must first connect to a super node and authenticate itself with the Skype login server. Any node with a public IP address having sufficient CPU, memory, and network bandwidth is a candidate to become a super node - including machines that reside on enterprise networks. Because Skype super nodes are created dynamically, and could conceivably consume as much bandwidth as is available to them, enterprise IT managers consider these super nodes a significant risk to the health of their network.
Privacy and Authenticity
When you initiate a Skype conversation, how sure are you that you are actually reaching the user that you specified? Every Skype user has a username and a password. It appears that the network is used by Skype to perform username/password verification, but it isn’t clear how this is done. For example, hosts on the Skype network could relay the encrypted username/password combination back to Skype’s servers for approval. Alternatively, they could relay an unencrypted username/password combination. If the Skype network is indeed involved in the communications, several types of attacks may be possible:
A malicious Skype client may learn the username/password combination of registered Skype users;
If a Skype user accesses the Skype network through a malicious Internet Service Provider, the ISP may direct that user’s Skype communications to the malicious Skype node. Thus, it may be possible for a malicious ISP to learn any of their user’s Skype passwords;
A malicious node may fake a valid authentication, allowing a client to log in with a particular Skype username even though the password for that username is not known.
When using Skype as a voice communications system, its users can often rely on identifying a person by the sound of their voice. This layer is absent, however, if Skype is used only for text messaging and exchanging files. These challenges are forcing carriers to look for accurate ways to detect Skype (and
Pipeline Publishing, Volume 3, Issue 4 
