Re: [SLUG] MS IM stuff

• Next message: Eric A. Hicks: "Re: [SLUG] Leeching a website"
• Previous message: D. Sandmann: "Re: [SLUG] Samba help"
• In reply to: Chuck Hast: "[SLUG] MS IM stuff"
• Next in thread: Chuck Hast: "Re: [SLUG] MS IM stuff"
• Reply: Chuck Hast: "Re: [SLUG] MS IM stuff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 2005-06-10 at 20:03 -0600, Chuck Hast wrote:
> Folks,
> I think this stuff is coming through the router/firewall, but not sure.
>
> I have tried to block it but it is still appearing on my local network
> I would like to get rid of it.
>
> UDP (310 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (366 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (294 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (286 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (330 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (306 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (360 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (358 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (362 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0 │
> │ UDP (354 bytes) from 192.168.1.1:1900 to 239.255.255.250:1900 on eth0
>
> This is SSDP, from what I can see it should be coming from a windows
> machine, but the 192.168.1.1 address is the lan port on my router, so either
> it is coming from the cable network side or the router it's self.
>
> I tried to filter it out and it was still there so I am now wondering
> if the silly
> router is generating it.

As much as we all love Gibson Research.... Here's a link to their site
that talks about UPnP and the details of port 1900. 239.255.255.250 is
part of a reserved range for multicast messages and other. Gibson
offers a free applet that disables UPnP on windows boxes (enabled by
default). Follow the link on the bottom of the page. We've used it
here a few times as our IDS (Snort based) had thousands of entries from
a UPnP rule.

If it's a hardware router it may be possible to turn off UPnP. I've
read a couple of articles about it. Google it's model number or post it
here to see if we can find a way to disable it.

HTH!

Mike Branda Jr.

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

• Next message: Eric A. Hicks: "Re: [SLUG] Leeching a website"
• Previous message: D. Sandmann: "Re: [SLUG] Samba help"
• In reply to: Chuck Hast: "[SLUG] MS IM stuff"
• Next in thread: Chuck Hast: "Re: [SLUG] MS IM stuff"
• Reply: Chuck Hast: "Re: [SLUG] MS IM stuff"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:57 EDT