Disruptive Telephony

To my immense surprise, my article yesterday about my challenges with Skype and my hotel Internet connection just hit TechMeme today, so welcome, anyone who is coming my way from there. But that also prompted me to want to offer up some additional thoughts on the subject.

First, I'm actually quite annoyed at the Best Western here in Ontario, CA, for essentially blocking Skype by virtue of their network security traffic policies. If travel shall bring me to Ontario, CA, again, you can be pretty sure that I will not be staying here. Skype has become an important communication tool for me and <cue violins>was the way I was intending to call home and stay in touch with my family</violins>. Skype has worked great at the hotel I was at earlier in the week in Phoenix and in fact at every other hotel I've been at lately. I do intend to contact Best Western to express my dissatisfaction at being unable to use the program.

Having said that, as a security professional I do understand WHY the security team at the Internet provider to this Best Western hotel has the policies in place that they do. As Phil Wolff commented, Skype's launch "can look like the beginning of port scanning or a bot-gone-wild". Given that this provider is dealing with hotel rooms where random strangers are connecting who-knows-what onto the network, they have to be extremely vigilant (especially because customers like me while complain quickly if Internet access is slow/unavailable). The more I think about it, hotel networks are really an absolute nightmare from a security point-of-view. You have no way to enforce virus protection, people can put all sorts of machines in all sorts of states onto the network, systems with spyware can easily be scanning/attacking your network -it's really pretty crazy and I'm glad that I'm not involved with running such a network! (Although the security geek in me would admit that the aggregate data they must get from network traffic would probably be fascinating.) However, there is probably a compromise out there where the ISP can tune its filtering rules so that if it sees such traffic and can identify it as Skype traffic, it can not trigger the MAC lock-out.

Which brings me to the final point that there's a lesson here for anyone developing P2P apps, or I suppose any other apps that have a similar traffic profile. If the apps generates traffic that looks like a bot or port scan, odds are that it will be blocked in some places like this one (and the hotel Phil was at). It would be great if developers could take that into account and either: a) naturally put in some kind of rate throttling; or b) perhaps provide a "hotel mode" where it throttles back the number of sessions to some (perhaps user-settable but with a default) value. This of course would make it longer for things like presence information to appear, but would at least let you continue to operate the program without triggering the network security alarms. Of course, you'd have to change to that mode, which many people would forget to do and wind up being locked out, but it might be an interesting "advanced" option for those who know what to do with it.

Any other "lessons learned" you see here?

Technorati Tags: P2P, security, skype

UPDATE: I have now posted some additional thoughts about this issue.

It's been a frustrating time here at the hotel in Ontario, CA, where all I've been trying to do is use the Internet connection. I'm staying at the Best Western and did so largely because they advertised free high-speed Internet (they were also cheaper than others). First annoyance was discovering that I was too far away from their APs to use wireless, but since I had an ethernet cable I just plugged into the wall jack and expected to get access. The very first time I connected, I did get an IP address and could see an entry in my routing table for the default gateway. However, I couldn't ping it.

Being rather used to network troubleshooting, I did the usual things... bringing the interface up and down, disconnecting and re-connecting the cable. I even went to the hotel lobby and got a new cable in case the issue was with my portable/retractable cable.

Nothing. No net.

In desperation I did the thing that tech support always tells you to do but I avoid... reboot. Nothing.

So finally this morning I got on the phone to the Best Western tech support and after waiting, oh, 20 minutes or so I got through to a tech and ultimately we figured out the problem:

Skype!

More specifically, all the bizillion connections that Skype was making out into the P2P cloud. The tech reset the switch and asked me to connect again and his immediate response was "Whoa! Something on your computer is generating an incredible number of sessions out to the Internet! You are tripping our filters and it is blocking out your MAC address." With him on the phone, we tried some experimentation. I shut down Skype, at which point he said I was generating much more normal traffic. As soon as I launched it again, he noticed a very large jump in the number of session connections I was establishing. He said it was something like 396 sessions he was seeing coming from my computer. He also said that I'll keep being locked out of their system if I keep Skype running.

So I shut down Skype. Which, of course, is annoying. Part of why I wanted to use the high-speed Internet is to use Skype for IM and for voice/video calls.

I find it a bit odd that Skype was generating so much extra traffic, but then again I am pretty much always connected into several persistent group chats and had maybe 8 or 10 individual chat windows still open that I'd left open from when I'd last been chatting with the person. (The Mac Skype client makes this easy to do, but I'll write about that sometime.) The persistent group chats, especially, do generate a good number of connections as they link out into the P2P cloud. Perhaps if I closed all of those windows and killed off all my individual chat windows Skype might have behaved better. (Or perhaps not, I might have had to leave the persistent chats in order for Skype to stop making those connections.) I don't want to try it out, because I do want to keep my Internet connection up right now.

In any event, should you be at a hotel and find yourself unable to connect... it might be a P2P app like Skype tripping off the hotel's filters and blocking your access. Fun, fun, fun....