Today we discovered by a gloating student that Skybe was still managing to work in our network. To combat this with the help of Google I delve into the net to find out the various methods that Skybe uses to connect to the internet while my colleague tailed the students internet traffic. We both discovered that when Skybe cannot connect traditionally using TCP ports (and the GET command) it creates a SSL tunnel (using the CONNECT command) to bypass any proxy authentication methods.
To block this pest (a clever one at that) we create a Access Control List which blocks any method of CONNECT that connects to a IP address (outright blocking connect would make all SSL based websites like secure banking or external webmail cease to work) as Skybe does not use DNS names to connect the Skybe clients to one another. A detailed write up can be found at http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038646.html and all credit goes to the creator of that document to discovering how to block Skybe without blocking legitimate traffic.
