From owner-freebsd-security Tue Jul 23 22:29:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38E7F37B400 for ; Tue, 23 Jul 2002 22:29:08 -0700 (PDT) Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8239443E31 for ; Tue, 23 Jul 2002 22:29:07 -0700 (PDT) (envelope-from freebsd@ec.rr.com) Received: by probsd.ws (Postfix, from userid 80) id 4460110AFC; Wed, 24 Jul 2002 01:31:40 -0400 (EDT) Message-ID: <1095.192.168.1.1.1027488700.squirrel@webmail.probsd.ws> Date: Wed, 24 Jul 2002 01:31:40 -0400 (EDT) Subject: Re: SSDP? this thread is done From: "Michael Sharp" To: In-Reply-To: <3D3E3909.3C1A0C6B@dolaninformation.com> References: <1067.192.168.1.1.1027482603.squirrel@webmail.probsd.ws> <20020724041312.GA17809@rfc822.net> <1066.192.168.1.1.1027484969.squirrel@webmail.probsd.ws> <3D3E3909.3C1A0C6B@dolaninformation.com> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I found the culprit. In the logs, I saw a refrence to: http://192.168.1.1/rootDesc.xml and I loaded it in a web browser, and the router is doing upnp BEFSR41/BEFSR11/BEFSRU31 uuid:upnp-InternetGatewayDevice-1_0-0090a2777777 I disabled multicast pass through on the router, but that didnt work. I play with it somemore later. Thanks to all who responded. michael Greg Panula said: > Michael Sharp wrote: >> >> No, only boxes I have behind the router is 2 fbsd boxes. I sent a >> email to the ep.net admin earlier, as this is continuing, and this >> was his reply: >> >> You've got a multicast application using an unregistered >> multicast address <239.255.255.250> talking to a private >> network address <192,168.1.x> You are asking me this question >> because we run the DNS servers for the multicast address space. >> >> Check with your software vendors and ask them to register >> the application that uses a unique multicast address with >> the IANA and we'll note in in the zone files so others can >> track this information. >> >> The only services I have running are SMTP, BIND, and httpd, and the >> only application I had running was ethereal. So, I'm at a lost. >> >> michael >> >> Pete Ehlke said: >> > On Tue, Jul 23, 2002 at 11:50:03PM -0400, Michael Sharp wrote: >> >> I was doing a security audit last night and running ethereal. >> Immediately after starting it, I was seeing SSDP from MY router >> ( 192.168.1.1 ) to the IP address 239.255.255.250 ( ep.net ). >> Since I'm not sure what SSDP is besides that it is Simple >> Services >> >> Discovery Protocol, I did: >> >> >> >> /sbin/route -nq add -host 239.255.255.250 127.0.0.1 -blackhole >> ipfw add 98 deny all from 239.255.255.250 to me in via xl0 >> >> ipfw add 99 deny all from me to 239.255.255.250 out via xl0 >> >> >> >> In hopes that it would stop the packets, but it didnt and the >> activity continued on ethereal. Could someone please shed some >> light on why I might be sending SSDP to this particular IP >> address every 10 seconds? >> >> >> > You probably have windows machines behind your router trying to >> do UPlug-N-Pray operations or printer discovery. The address you >> are seeing is supposed to be a multicast address for this >> purpose, but windows sends it out the default route. Your next >> hop router should drop it. >> > >> > -pete >> > > > Information about SSDP can be found at: > http://support.microsoft.com/default.aspx?scid=kb;[LN];Q323713 > >>From the link above it looks like you should be able to determine if >> the > SSDP broadcast is discovery messages and/or service advertisments(URL > contained in the payload, I'm guessing). This will help determine > the reason of what the traffic is doing... maybe you have a UPNP > device on your network? (I'll guess a printer) > > Instead of just trying to firewall the packets, you should try to > determine the source of the packets. You could start by turning off > devices one by one until the SSDP traffic stops and then determine > why that device is generating SSDP traffic. > > If it is indeed your freebsd router, check to make sure it isn't > relaying the traffic from the outside world and then audit and/or > reconfigure the router. See > http://www.google.com/search?q=auditing+unix+box for some reference > material on auditing unix boxes. > > But since you said there aren't any windows boxes on the network, > I'll guess it is probably a network applicance that is generating the > traffic. > > Good Luck, > Greg > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message