Date: Wed, 24 Jul 2002 00:20:09 -0500 From: Greg Panula <greg.panula@dolaninformation.com> To: Michael Sharp <freebsd@ec.rr.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSDP? Message-ID: <3D3E3909.3C1A0C6B@dolaninformation.com> References: <1067.192.168.1.1.1027482603.squirrel@webmail.probsd.ws> <20020724041312.GA17809@rfc822.net> <1066.192.168.1.1.1027484969.squirrel@webmail.probsd.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Sharp wrote: > > No, only boxes I have behind the router is 2 fbsd boxes. I sent a email > to the ep.net admin earlier, as this is continuing, and this was his > reply: > > You've got a multicast application using an unregistered > multicast address <239.255.255.250> talking to a private > network address <192,168.1.x> You are asking me this question because > we run the DNS servers for the multicast address space. > > Check with your software vendors and ask them to register > the application that uses a unique multicast address with > the IANA and we'll note in in the zone files so others can > track this information. > > The only services I have running are SMTP, BIND, and httpd, and the > only application I had running was ethereal. So, I'm at a lost. > > michael > > Pete Ehlke said: > > On Tue, Jul 23, 2002 at 11:50:03PM -0400, Michael Sharp wrote: > >> I was doing a security audit last night and running ethereal. > >> Immediately after starting it, I was seeing SSDP from MY router ( > >> 192.168.1.1 ) to the IP address 239.255.255.250 ( ep.net ). Since > >> I'm not sure what SSDP is besides that it is Simple Services > >> Discovery Protocol, I did: > >> > >> /sbin/route -nq add -host 239.255.255.250 127.0.0.1 -blackhole > >> ipfw add 98 deny all from 239.255.255.250 to me in via xl0 > >> ipfw add 99 deny all from me to 239.255.255.250 out via xl0 > >> > >> In hopes that it would stop the packets, but it didnt and the > >> activity continued on ethereal. Could someone please shed some > >> light on why I might be sending SSDP to this particular IP address > >> every 10 seconds? > >> > > You probably have windows machines behind your router trying to do > > UPlug-N-Pray operations or printer discovery. The address you are > > seeing is supposed to be a multicast address for this purpose, but > > windows sends it out the default route. Your next hop router should > > drop it. > > > > -pete > > Information about SSDP can be found at: http://support.microsoft.com/default.aspx?scid=kb;[LN];Q323713 From the link above it looks like you should be able to determine if the SSDP broadcast is discovery messages and/or service advertisments(URL contained in the payload, I'm guessing). This will help determine the reason of what the traffic is doing... maybe you have a UPNP device on your network? (I'll guess a printer) Instead of just trying to firewall the packets, you should try to determine the source of the packets. You could start by turning off devices one by one until the SSDP traffic stops and then determine why that device is generating SSDP traffic. If it is indeed your freebsd router, check to make sure it isn't relaying the traffic from the outside world and then audit and/or reconfigure the router. See http://www.google.com/search?q=auditing+unix+box for some reference material on auditing unix boxes. But since you said there aren't any windows boxes on the network, I'll guess it is probably a network applicance that is generating the traffic. Good Luck, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D3E3909.3C1A0C6B>