2013-geddes-cover
findings extracted from this paper
-
Injecting a single replayed ACK packet every 100 ms into a SkypeMorph session is sufficient to permanently stall data transfer: the server continuously resets its sequence counter back to the replayed position and never advances, while legitimate VoIP call traffic is completely unaffected. The attack requires the censor to induce only a small amount of server-to-client packet loss to prevent the legitimate ACK counter from overtaking the injected value, as shown in Figure 5b.
-
FreeWave's modem synchronization depends on a preamble transmitted only at connection start (approximately 0.25 seconds for a 2048-symbol preamble); a censor applying 95% packet loss for under one second at the beginning of the session reliably prevents synchronization and breaks the connection, while reducing VoIP MOS only briefly and leaving the remainder of the session intact (Figure 2). With fixed data-frame designs, the censor can repeat preamble-targeted drops on every frame, achieving complete desynchronization at low average packet loss rates tolerable to legitimate VoIP.
-
SkypeMorph and FreeWave both overlay a client-proxy communication model onto a peer-to-peer VoIP network; because Skype clients attempt direct peer contact before falling back to supernodes, initiating a call to a FreeWave proxy reveals its IP address directly to the caller, and proxy nodes accumulate user-to-bridge ratios that reached 8–12× in Syria/Iran and up to 120:1 in China (Figure 8), producing concentration signatures uncharacteristic of normal P2P call distributions. These architectural mismatches allow enumeration and fingerprinting attacks independent of traffic-content analysis.
-
By targeting SkypeMorph's deterministic ACK-flagging schedule (one ACK every ~100 ms) and capping overall packet loss at 5–20%, a censor can drop up to 47% of ACK packets, reducing SkypeMorph throughput from its normal ~200 KB/s to 5–10 KB/s (a 90–95% reduction) while VoIP call quality remains within acceptable MOS thresholds. The attack exploits the reliability mismatch between the loss-tolerant UDP cover channel and the TCP-like retransmission layer SkypeMorph builds over it.
-
FreeWave's modem generates audio whose packet-length distribution has dramatically lower variance than human speech, even when transmitted through Skype's variable-bit-rate encoder; Figure 9 shows that English and Portuguese speech samples produce high-variance packet-length sequences while modem audio produces a narrow, nearly constant distribution, providing a reliable passive classifier for modem-over-VoIP traffic. This content mismatch persists even with perfect emulation of the VoIP protocol framing.