From owner-freebsd-security Tue Jul 23 21:12:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 989C837B400 for ; Tue, 23 Jul 2002 21:12:45 -0700 (PDT) Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3830243E4A for ; Tue, 23 Jul 2002 21:12:45 -0700 (PDT) (envelope-from pde@bastet.rfc822.net) Received: by bastet.rfc822.net (Postfix, from userid 1001) id 9978F9FD3B; Tue, 23 Jul 2002 23:13:12 -0500 (CDT) Date: Tue, 23 Jul 2002 23:13:12 -0500 From: Pete Ehlke To: freebsd-security@FreeBSD.org Subject: Re: SSDP? Message-ID: <20020724041312.GA17809@rfc822.net> References: <1067.192.168.1.1.1027482603.squirrel@webmail.probsd.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1067.192.168.1.1.1027482603.squirrel@webmail.probsd.ws> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 23, 2002 at 11:50:03PM -0400, Michael Sharp wrote: > I was doing a security audit last night and running ethereal. > Immediately after starting it, I was seeing SSDP from MY router ( > 192.168.1.1 ) to the IP address 239.255.255.250 ( ep.net ). Since I'm > not sure what SSDP is besides that it is Simple Services Discovery > Protocol, I did: > > /sbin/route -nq add -host 239.255.255.250 127.0.0.1 -blackhole > ipfw add 98 deny all from 239.255.255.250 to me in via xl0 > ipfw add 99 deny all from me to 239.255.255.250 out via xl0 > > In hopes that it would stop the packets, but it didnt and the activity > continued on ethereal. Could someone please shed some light on why I > might be sending SSDP to this particular IP address every 10 seconds? > You probably have windows machines behind your router trying to do UPlug-N-Pray operations or printer discovery. The address you are seeing is supposed to be a multicast address for this purpose, but windows sends it out the default route. Your next hop router should drop it. -pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message