Wednesday, July 25, 2007

skype supernode, Skype and Firewalls, updated information

I got this information as a comment left on "How to be or not to be a skype supernode?" and following up gave me some good information. I think I should share it.
The comment can be found at the above link.
First of all how not to be a skype supernode and do it properly and without drawbacks:
How not to be a skype supernode!
Windows Registry Editor Version 5.00

using your favorite registry editor. Be carefull with that registry and always make a backup.

Also keep this in mind;
Best Advise is NOT to run as Administrator or Skype can, and does, make changes to your firewall. If you do run and a non Administrator you will have to remove any Skype exceptions you don't want while running as Administrator and then switch back.

There is an article about this called "Enterprises Need to Deal with Skype Boom" published on Eweek :,1895,2043368,00.asp

Windows XP Firewall and Skype

"Skype also attempts to modify desktop firewall settings to
allow itself to run optimally. If the firewall rule gets
disabled, the next time Skype starts it will re-enable its
firewall exception (if the user has permission to modify
firewall settings)."

Using Skype behind a NAT - note for home users of Skype behind a router

"A firewall that blocks inbound traffic or uses NAT
(Network Address Translation) also won't stop Skype.
When a Skype client starts, it opens a session with
a supernode in the Skype network.

If the client cannot be contacted from the Internet,
the supernode will notify the client when a call comes
in?via the open connection. If the recipient cannot
directly contact the sender, the supernode or a relay
agent can then act as a proxy between the two callers. "

This information came directly from Skype.
Skype uses peer-to-peer communications in order to allow users to find one another. Consequently, a small percentage of our users will hold a record reflecting the online presence of other users. When one user holds a record concerning the presence of other users, the former is called a "supernode", or directory node.

Even though the traffic sent to supernodes is negligible, some institutions are interested in preventing users on their network from becoming supernodes and, thereby, answering directory enquiries for other users.

There are several ways to prevent Skype from becoming a supernode:

  • Beginning with Skype 3.0, an explicit switch is provided in the registry settings to allow the disabling of supernode functionality.
  • Any computer hosted on a network that is behind a network address translation (NAT) device or restrictive firewall will disable supernode functionality.
  • Skype clients behind an HTTP or SOCKS5 proxy will not serve as supernodes.

Enterprises typically opt for using the registry setting technique for turning off supernode functionality, simply because it is very straightforward to deploy a Windows GPO that contains the appropriate registry key setting. However, universities often find this more problematic because the computers may not be owned or operated by the host institution, making it difficult or impossible to ensure that registry keys are set properly.

In these cases, it may be more useful to set up a SOCKS5 proxy. Skype can be configured to use a SOCKS5 proxy, regardless of whether the client finds itself on a network with a public IP address or on one with a private IP address.

While the use of a SOCKS5 proxy still requires manual intervention by the user, the use of a proxy allows the economical "shaping" of Skype traffic. It has the additional positive side-effect of reducing supernodes on the network, reducing false-positive intrusion prevention system alarms and allowing for accurate measurement of Skype usage on the proxied network.


Blog Widget by LinkWithin