The Skype Community

in
Happy 2nd Birthday Skype community – Join the fun
Submit a Video
Reply
Topic Options
akg1330
Novel Adventurer
akg1330
Posts: 4
Registered: ‎21-07-2011
Accepted Solution

Spoofed invite protection?

Options

‎21-07-2011 21:55

Greetings:

 

I'm setting up Skype Connect for inbound calls to an Avaya environment, terminating on an Acme Packets SBC.

 

Because the transport is UDP, there doesn't seem to be any way to prevent someone from spoofing an INVITE and causing our phones to ring.  I've tried this successfully.

 

I've tried both IP authentication and registration.  Again, because both use UDP, I'm must implicitly trust any UDP packet sourced from 2.sip.skype.com or 1.sip.skype.com.

 

Anyone have any ideas on how to mitigate this risk?  Will we ever see either TCP or TLS as a transport for this service?  What about authenticated INVITEs?

 

Thanks.

 

Message 1 of 8 (723 Views)
Reply
0 Kudos
Please use plain text.
 
Reliable Adventurer
VictorS
Posts: 116
Registered: ‎28-06-2011

Re: Spoofed invite protection?

Options

‎22-07-2011 01:38

Hello agk1330,

 

I've only heard this question once.  That user found that the Skype's Fraud Department and the Skype Enterprise Support teams have the tools to TRACE EVERY call coming in and going out of our SBC's. We can trace BACK to any user that tries to place malious or fraudulent calls into Skype.  We value the security of our users and protect you around ever corner.  If you have issues with this, please come into our Live Chat immediately and we will start tracing for you and escalate this to Skype's Security and Fraud departments.

 

You can Chat with us 24/7 by loggig into your Skype Manager and clicking on the Chat button in the top right of that screen.

 

I hope this answers your question.

 

Regards,

 

Victor S.

 

Skype Enterprise Support

 

Regards,

Victor S.

Skype Enterprise Support
Message 2 of 8 (715 Views)
Reply
0 Kudos
Please use plain text.
 
akg1330
Novel Adventurer
akg1330
Posts: 4
Registered: ‎21-07-2011

Re: Spoofed invite protection?

Options

‎22-07-2011 15:20

Thanks for the quick reply. 

 

My concern isn't someone placing fraudulent calls through the Skype network (though its good to know we've got help if that happens), but rather someone not associated with Skype can send a SIP INVITE with a source address of the Skype SBCs (which are well known).  Because UDP (which is, currently, the only supported transport protocol) is trivial to spoof, and because many ISPs don't implement anti-spoofing measures, we have no way of knowing if the packet really did come from Skype or from someone else.

 

The only way to prevent this would be to implement TCP, or better yet, TLS.  Some vendors are supporting something called Authenticated Invites, though I don't believe this is standard.

 

Thanks.

Message 3 of 8 (707 Views)
Reply
0 Kudos
Please use plain text.
 
Reliable Adventurer
VictorS
Posts: 116
Registered: ‎28-06-2011

Re: Spoofed invite protection?

Options

‎25-07-2011 04:51

Hello akg1330,

 

I response to your response, your question would have to be answered by our Program Engineers.  In order to do that, a "Trouble Ticket" would have to be created and sent up the line to get to the GearHeads that create all of this stuff.  They might have to contact you directly though.

 

If you would, log into you Skype Manager and Click on the Chat button on the top right hand of the screen and start a Chat session with us here, and ask the agent to have a JIRA ticket created "to answer a technical question about security and your system". Tell the agent that you just need a couple of questions answered by the "Big Boys" in Programming. 

 

I hope that helps you.   Thanks for using the Skype Connect Forum.

 

Regards,

 

Victor S.

 

Skype Enterprise Support

 

Regards,

Victor S.

Skype Enterprise Support
Message 4 of 8 (694 Views)
Reply
Please use plain text.
 
akg1330
Novel Adventurer
akg1330
Posts: 4
Registered: ‎21-07-2011

Re: Spoofed invite protection?

Options

‎25-07-2011 13:54

Great.  Thanks for the advice.

Message 5 of 8 (691 Views)
Reply
0 Kudos
Please use plain text.
 
Reliable Adventurer
ChrisK
Posts: 36
Registered: ‎28-06-2011

Re: Spoofed invite protection?

Options

‎04-08-2011 14:46

Hello akg1330,

 

We have now introduced TLS capability to our system.  You would need to enable it on your PBX and use port 5061.

 

Hope this gives you new comfort for the security of our system.

 

Regards,

 

Chris K.

Skype Enterprise Support

If you found a post useful then please give Kudos. If it helped to fix your issue then mark it as a solution to help others, Thanks......
Message 6 of 8 (671 Views)
Reply
Please use plain text.
 
akg1330
Novel Adventurer
akg1330
Posts: 4
Registered: ‎21-07-2011

Re: Spoofed invite protection?

Options

‎04-08-2011 14:50

Glad to hear this.  This make it much more likely we will more widely use Skype Connect.

 

I'm working with our vendor for the procedure to implement TLS on our side.

 

Thanks for the follow up.

Message 7 of 8 (669 Views)
Reply
0 Kudos
Please use plain text.
 
Reliable Adventurer
ChrisK
Posts: 36
Registered: ‎28-06-2011

Re: Spoofed invite protection?

[ Edited ]
Options

‎08-08-2011 12:10 - edited ‎08-08-2011 12:11

Hello akg1330,

Thanks for your feedback and for being a frequent visitor of our forums. We appreciate your questions.

Regards,

Chris Knott
Skype Enterprise Support
113

If you found a post useful then please give Kudos. If it helped to fix your issue then mark it as a solution to help others, Thanks......
Message 8 of 8 (650 Views)
Reply
0 Kudos
Please use plain text.
 
Facebook Twitter
  • About
  • Advertise
  • Blogs
  • Legal
  • Jobs
  • Sitemap

© 2013 Skype and/or Microsoft. The Skype name, associated trade marks and logos and the "S" logo are trade marks of Skype or related entities. Use of this website constitutes acceptance of the Terms of Use and Privacy and Cookie policy.

No emergency calls

No emergency calls with Skype
Skype is not a replacement for your telephone and can't be used for emergency calling