UDP Hole Punching

Just read this great article on how Skype and other peer to peer applications are using UDP hole punching to get around firewalls and allowing them to establish direct connections between clients, which speeds up their applications as nothing really has to go through the main servers. They still can, if this type of connection does not work, such as on busy networks, but it really slows things down on the client and on Skype’s servers.

But anyone who has used the popular internet telephony software Skype knows that it works as smoothly behind a NAT firewall as it does if the PC is connected directly to the internet. The reason for this is that the inventors of Skype and similar software have come up with a solution.

The trick used by VoIP software consists of persuading the firewall that a connection has been established, to which it should allocate subsequent incoming data packets. The fact that audio data for VoIP is sent using the connectionless UDP protocol acts to Skype’s advantage. In contrast to TCP, which includes additional connection information in each packet, with UDP, a firewall sees only the addresses and ports of the source and destination systems. If, for an incoming UDP packet, these match an NAT table entry, it will pass the packet on to an internal computer with a clear conscience.

Network administrators who do not appreciate this sort of hole in their firewall and are worried about abuse, are left with only one option – they have to block outgoing UDP traffic, or limit it to essential individual cases. UDP is not required for normal internet communication anyway – the web, e-mail and suchlike all use TCP. Streaming protocols may, however, encounter problems, as they often use UDP because of the reduced overhead. Source: heise Security

The easiest way to stop this is to block all or limit all outgoing UDP traffic. Read the article, it has some good information and examples on how you can do this yourself.