From owner-freebsd-security Tue Jul 23 21:27: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 817EB37B400 for ; Tue, 23 Jul 2002 21:26:57 -0700 (PDT) Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2224C43E5E for ; Tue, 23 Jul 2002 21:26:57 -0700 (PDT) (envelope-from freebsd@ec.rr.com) Received: by probsd.ws (Postfix, from userid 80) id B7ABA10754; Wed, 24 Jul 2002 00:29:29 -0400 (EDT) Message-ID: <1066.192.168.1.1.1027484969.squirrel@webmail.probsd.ws> Date: Wed, 24 Jul 2002 00:29:29 -0400 (EDT) Subject: Re: SSDP? From: "Michael Sharp" To: In-Reply-To: <20020724041312.GA17809@rfc822.net> References: <1067.192.168.1.1.1027482603.squirrel@webmail.probsd.ws> <20020724041312.GA17809@rfc822.net> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No, only boxes I have behind the router is 2 fbsd boxes. I sent a email to the ep.net admin earlier, as this is continuing, and this was his reply: You've got a multicast application using an unregistered multicast address <239.255.255.250> talking to a private network address <192,168.1.x> You are asking me this question because we run the DNS servers for the multicast address space. Check with your software vendors and ask them to register the application that uses a unique multicast address with the IANA and we'll note in in the zone files so others can track this information. The only services I have running are SMTP, BIND, and httpd, and the only application I had running was ethereal. So, I'm at a lost. michael Pete Ehlke said: > On Tue, Jul 23, 2002 at 11:50:03PM -0400, Michael Sharp wrote: >> I was doing a security audit last night and running ethereal. >> Immediately after starting it, I was seeing SSDP from MY router ( >> 192.168.1.1 ) to the IP address 239.255.255.250 ( ep.net ). Since >> I'm not sure what SSDP is besides that it is Simple Services >> Discovery Protocol, I did: >> >> /sbin/route -nq add -host 239.255.255.250 127.0.0.1 -blackhole >> ipfw add 98 deny all from 239.255.255.250 to me in via xl0 >> ipfw add 99 deny all from me to 239.255.255.250 out via xl0 >> >> In hopes that it would stop the packets, but it didnt and the >> activity continued on ethereal. Could someone please shed some >> light on why I might be sending SSDP to this particular IP address >> every 10 seconds? >> > You probably have windows machines behind your router trying to do > UPlug-N-Pray operations or printer discovery. The address you are > seeing is supposed to be a multicast address for this purpose, but > windows sends it out the default route. Your next hop router should > drop it. > > -pete > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message