Showing results for 
Search instead for 
Did you mean: 

Blocking Skype


Hello All,

This is my first post in the IPS section, so I am a IPS newbie.....

Can anyone tell me how I can block any skype traffic and facebook traffic using my IPS SSM-10 ?



7 Replies 7



You can use signature 11251 to block skype. This signature fires when a Windows Skype client  connect to the Skype server to synchronize its version. So you can configure 'drop packet inline' along with 'produce alert' as an action. Therefore you can identify the host trying to use 'skype' client and proceed accordingly.

To block facebook, you can create a customer signature which matches /facebook./com/ in http header and configure actions like 'reset', 'deny connection', etc.


Hello Padatta,

Where can I create and apply that custom signature ? I am using ASDM 6.2.


There are three GUI based options to connect to IPS.

1. Using ASDM.

     Try to connect to 'Intrusion Prevention System' device from with ASDM.

2. Using IDM.

    Try https:// in a browser and you'll get an option to install/run IDM.

3. Using IME.

   Check this link:

   Once installed, try to add your sensor to IME. You can manage upto 5 sensors using IME.

Once you're connected to your sensor via one of the above methods, the following link should carry you through the steps of creating a customer signature.

You'll need 'service http' type customer signature.



Signature will not be compleletely effective in blocking Skype traffic.

Signature 11251-0 only blocks exchanges with the host in the
packets. The only time this occurs is when the version is checked and not
during the actual phone calls. This is usually done when the client is started.
Again, this means that Skype traffic is not what fires this signature.
It is the client connecting to Skype to sync its version.

Skype uses an aggressive adaptive networking application that is designed to
reach the Internet. Skype sessions use an asymmetric key
exchange to distribute the 256 bit symmetric key employed by the AES cipher
for session encryption. Skype's initial outbound connection can use any
dynamic combination of TCP and UDP ports, including outbound ports 80 and
443, which are generally open for HTTP and HTTPS access. This renders
traditional port blocking filters completely ineffective. In addition, Skype
uses proprietary methods of NAT traversal similar to STUN (Simple Traversal
of UDP through NAT), ICE (Interactive Connectivity Establishment) and TURN
(Traversal Using Relay NAT) to ensure that you can reach the Internet and to
determine the client's eligibility to be a super node.

Because Skype uses a proprietary, encrypted protocol, specifically designed
to avoid detection and penetrate NAT, Firewalls and other network
instrumentations there is no formal method for any DPI technology to perform
compliant inspection of Skype traffic flows.

However there has been a bug filed on this and the development team is
working on it.


Sid Chandrachud
TAC security solutions

Wow ... that has to be one of the most informative posts I've read in a while.  Great info, Sid!

Thanks Sid, excellent write up. Its no wonder I am killing myself trying to block this thing. Still no luck.

Thanks again for the info.


Hi Siddharth,

Is there any progress on this issue of blocking skype through IPS ?



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers