Network Forensic on Encrypted Peer-to-Peer VoIP Traffics and the Detection, Blocking, and Prioritization of Skype Traffics

Skype is a popular peer-to-peer (P2P) voice over IP (VoIP) application evolving quickly since its launch in 2003. However, the ability to traverse network address translation (NAT) and bypass firewalls, as well as the induced bandwidth burden due to the super node (SN) mechanism, make Skype considerably a threat to enterprise networks security and availability. Because Skype uses both encryption and overlays, detection and blocking of Skype is non- trivial. Motivated by the work ofBiondi and Desclaux [3], we adopt the view of Skype as a backdoor and we take a forensic approach to analyze it. We share our experience in this paper. With the forensic evidence, we identify a transport layer communication framework for Skype. We further formulate a set of socket-based detection and control policies for Skype traffics. Our detection method is a hybrid between payload and non-payload inspections, with improved accuracy and version sustainability over the traditional payload-only approaches. Our solution is practicable both inside and outside the NAT firewalls. This breakthrough makes the detection, blocking, and prioritization of Skype traffics possible in both the enterprise internal networks and the Internet Services Providers carrier networks.