Date: Tue, 23 Jul 2002 23:13:12 -0500 From: Pete Ehlke <pde@rfc822.net> To: freebsd-security@FreeBSD.org Subject: Re: SSDP? Message-ID: <20020724041312.GA17809@rfc822.net> In-Reply-To: <1067.192.168.1.1.1027482603.squirrel@webmail.probsd.ws> References: <1067.192.168.1.1.1027482603.squirrel@webmail.probsd.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 23, 2002 at 11:50:03PM -0400, Michael Sharp wrote: > I was doing a security audit last night and running ethereal. > Immediately after starting it, I was seeing SSDP from MY router ( > 192.168.1.1 ) to the IP address 239.255.255.250 ( ep.net ). Since I'm > not sure what SSDP is besides that it is Simple Services Discovery > Protocol, I did: > > /sbin/route -nq add -host 239.255.255.250 127.0.0.1 -blackhole > ipfw add 98 deny all from 239.255.255.250 to me in via xl0 > ipfw add 99 deny all from me to 239.255.255.250 out via xl0 > > In hopes that it would stop the packets, but it didnt and the activity > continued on ethereal. Could someone please shed some light on why I > might be sending SSDP to this particular IP address every 10 seconds? > You probably have windows machines behind your router trying to do UPlug-N-Pray operations or printer discovery. The address you are seeing is supposed to be a multicast address for this purpose, but windows sends it out the default route. Your next hop router should drop it. -pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020724041312.GA17809>