2

Is there a way to monitor number of attempted Skype connections on a specified port and dynamically firewall off the offending IPs if they break a certain threshhold within a specific time limit - in Windows 7?

On a Linux box, though it's a bit crude, I know I could use wireshark or nstat and output to a file, then cron a job to grep through and then parse the data for number of attempted connections to a specified port, add a firewall rule to iptables, then truncate the log file for the next iteration, and I'm all set. I'm a bit lost on how to go about this or something similar on a Windows 7 box.

The situation I'm trying to solve is that I have several users that need Skype access. Resolving a skype username to IP is fairly simple and this has resulted in their machines being DDOS'd on occasion. While I know I could do this upstream on a full-fledged ASA or similar device, for various networking reasons I'm trying to find a solution that can be implemented on the users computer. White-listing and blocking everybody else is not an option.

Thanks for any input or ideas on this.

Peter
  • 252
  • 2
  • 14
  • Why are people randomly DDOSing your Skype users? That seems odd. – ceejayoz Jul 26 '13 at 21:36
  • @ceejayoz Apparently we have not yet achieved world peace. I'm having the activity logs looked into, but meanwhile I need to solve the issue. – Peter Jul 27 '13 at 01:57
  • I'm unclear about how you are expecting limiting the number of logins to prevent DDoS attacks. It only takes one connection for someone to get your IP address, and the DDoS will probably not be valid Skype connectiions. – devicenull Jul 28 '13 at 01:23

1 Answers1

2

Implement rate limiting on connections being sent out FROM your router TO your internal addresses on port 2398 (Skype).

In Linux, it's not crude at all. You'd use a rate limiter on your FORWARD chain like so:

iptables -A OUTPUT -p tcp --dport 2398 -o eth1 -m state --state NEW \
    -m recent --set
iptables -A OUTPUT -p tcp --dport 2398 -o eth1 -m state --state NEW \
    -m recent --update --seconds 60 --hitcount 4 -j DROP

Windows? Sorry. Left as an exercise for the reader, but the pieces are there ^

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Great idea and that may be how I handle it in the end, just keeping question open a little longer in case anybody has a solution that I can implement on the user's Win7 station as that would be ideal for current circumstances. – Peter Jul 27 '13 at 01:59