[unisog] large netflow values and skype?

Michael Holstein michael.holstein at csuohio.edu
Thu Jun 22 15:34:19 GMT 2006

Yes .. Skype can have thousands of connections if the host becomes a 
supernode. University networks (with open firewall policies and 
high-bandwidth connections) are prime for clients doing this.

AFIK, there is no "network approach" to preventing it, other than 
blocking Skype all together.


David Herd wrote:
> Hi,
> I'm receiving reports of large netflows over various ports on some of 
> our machines.
> I've looked at the machines and they don't seem to have anything major 
> wrong. 
> I've made sure that they have the latest OS patches, virus programs and
> anti-spyware tools.  I've also checked for rootkits.  What I have found 
> is that
> most of the machines have Skype on them.
> I know that under certain conditions Skype will promote a machine to a 
> supernode.
> Is this what I'm seeing?
>  Flows     Source IP  Dest Port  Protocol     Router    Packets  Bytes
>    130     X.X.X.X        dns       udp       pabxbcr1   130    9.1 KB
>    142     X.X.X.X        dns       udp       libdr1     142    9.9 KB
>    206     X.X.X.X        dns       udp       libbs1     206   14.4 KB
> Each computer seems to use the same port consistently, eg, udp/53, 
> tcp/80 and
> it has disappeared both time I've closed the Skype client.
> Has anybody else noticed Skype will suddenly produce large netflows?
> Thanks
> David
> David Herd
> Computer Systems Officer
> School of Mechanical & Manufacturing Engineering
> University of New South Wales SYDNEY NSW 2052 AUSTRALIA
> Ph:   + 61-2-9385 4115
> Fax: + 61-2-9663 1222
> This message is intended for the addressee named and may contain 
> confidential
> information.  If you are not the intended recipient, please delete it 
> and notify the sender.
> The contents of this message do not necessarily represent the views or 
> position of the
> University of New South Wales, unless stated to the contrary.  Whilst 
> all care is taken
> the University of New South Wales does not represent or warrant that 
> this message,
> or any attachments, are free from viruses or defects.
> CRICOS Provider Code: 00098G
> ------------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list