From owner-freebsd-security Tue Jul 23 20:47:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81A7B37B400 for ; Tue, 23 Jul 2002 20:47:37 -0700 (PDT) Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2048D43E3B for ; Tue, 23 Jul 2002 20:47:35 -0700 (PDT) (envelope-from freebsd@ec.rr.com) Received: by probsd.ws (Postfix, from userid 80) id EF15C10AF2; Tue, 23 Jul 2002 23:50:03 -0400 (EDT) Message-ID: <1067.192.168.1.1.1027482603.squirrel@webmail.probsd.ws> Date: Tue, 23 Jul 2002 23:50:03 -0400 (EDT) Subject: SSDP? From: "Michael Sharp" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was doing a security audit last night and running ethereal. Immediately after starting it, I was seeing SSDP from MY router ( 192.168.1.1 ) to the IP address 239.255.255.250 ( ep.net ). Since I'm not sure what SSDP is besides that it is Simple Services Discovery Protocol, I did: /sbin/route -nq add -host 239.255.255.250 127.0.0.1 -blackhole ipfw add 98 deny all from 239.255.255.250 to me in via xl0 ipfw add 99 deny all from me to 239.255.255.250 out via xl0 In hopes that it would stop the packets, but it didnt and the activity continued on ethereal. Could someone please shed some light on why I might be sending SSDP to this particular IP address every 10 seconds? I can supply ethereal logs if needed. michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message