Technology
UDP Hole Punching: how Skype gets through firewalls

udppunch_20070601.jpg
When two machines running Skype need to communicate directly, but are both behind a NAT firewall, there’s a clever trick that’s employed to start a communication channel. It works like this:

First, both machines open a connection to a non-firewalled server. The server takes note of the source port (which may have been altered by the firewall) and sends this information to the other party to give it an idea of what port future connections might be coming from.

Client A then attempts to connect to a range of ports on client B’s machine. All these requests will fail at client B’s firewall, of course. However, in the process a side effect has occurred. Client A has told its own firewall to allow traffic from all of client B’s scanned ports! Now, when client B attempts to connect to client A, assuming its outgoing port was previously scanned (which it likely will be), the request will get through to client A’s machine.

If all else fails, both machines can use a central server to proxy their connection, but the UDP hole punching trick will typically allow two NAT firewalled machines to communicate directly, which means less latency and a significantly lighter load on the server.

Resources:
How Skype & Co. get round firewalls – Link
RFC3489 STUN – Simple Traversal of UDP through NAT – Link

11 thoughts on “UDP Hole Punching: how Skype gets through firewalls

  1. This is my guide to using JanusVM in qemu
    First download and extract QEMU for Windows (Google it, first result)
    Then copy JanusVM.vmdk to this directory.
    Then open Command Prompt, cd to where QEMU is installed, and type:

    qemu-img convert JanusVM.vmdk -O qcow2 JanusVM.img

    When it is done, then type:

    qemu -L . -m 80 -net nic -redir tcp:8118::8118 -boot c -hda JanusVM.img

    It should now work. Set your browser’s proxy settings to 127.0.0.1 and port 8118.

    Second script (launcher script) has not been tested, if it doesn’t work, play around with the -net settings.

  2. I am using this for my final presentation in my college in 2 weeks. Its about using proxy to bypass sonicwall content filtering system. This will be one of the three ways I will demonstrate in the presentation. At the end of the presentation I will show how this can also stop LAN users from sniffing packets.

    I read about it here first so thanks. I will post a paper onthe presentation after it’s over in my site http://www.linuxhaxor.net/blog

    pavs

Comments are closed.

Tagged