[Dshield] Any ideas?

van Niekerk Niel nielvanniekerk at oldmutual.com
Fri May 24 15:25:10 GMT 2002


Here's the rub, I am seeing a fair amount of UDP broadcast traffic directed
to  port 1900 (SSDP) these originate from many different hosts on our LAN
(see the packet capture below), all the references I can obtain for SSDP or
port 1900 points to either WinXP or MSN messenger.

The problem is this: 
All the machines that originate these broadcasts are WIN2K and I have
verified that four of the originating hosts definitely doesn't have MSN
messenger installed (none of the machines should have anyway), In fact the
one machine is a bog standard WIN2K installation with SP2 and sec patches,
but no other software.
None of the machines I have tested (20+) are listening on 1900 UDP or TCP.

The captured packets certainly looks like SSDP packets inasmuch as they use
HTTP over UDP, but nowhere could I obtain any reference to the "Info" option
in SSDP... (however it is quite possible that I missed/misunderstood
something somewhere)

The rate of these broadcasts aren't anything to worry about: I counted about
200 from about 190 different hosts in the space of 4 hours, thus < 1 per
minute, with no more than 2 from any one host in the 4 hours and they are
only 60 bytes each. All the packets are identical apart from the source port
and addresses. I also sincerely doubt that the packets are malicous in any
way (I know about the SSDP/UPnP exploit for XP, but this aint it). What
concerns me is the fact that I cannot explain them, so...

The question is this:
Has any of the clever ppl on this list any ideas as to what this is/seen
this before? I have a feeling this must be common on  WIN2K LAN's and not
just something peculiar to our setup, but I cannot seem to find any
reference to it...


P.S. Its 17:20 on a stormy wintry friday here, and I won't be monitoring the
list on the weekend, but I promise to respond to any suggestions / questions
first thing on Monday...

---------PACKET CAPTURE--------------- (ww.xx.yy.zz = Local LAN ip of WIN2K
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II
    Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
    Source: 00:50:8b:6a:0a:1b (00:50:8b:6a:0a:1b)
    Type: IP (0x0800)
    Trailer: 0000000000000000000000000000
Internet Protocol, Src Addr: ww.xx.yy.zz (ww.xx.yy.zz), Dst Addr: (
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 32
    Identification: 0xaaa2
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x8027 (correct)
    Source: ww.xx.yy.zz (ww.xx.yy.zz)
    Destination: (
User Datagram Protocol, Src Port: 1030 (1030), Dst Port: 1900 (1900)
    Source port: 1030 (1030)
    Destination port: 1900 (1900)
    Length: 12
    Checksum: 0x3483 (correct)
Hypertext Transfer Protocol
    Data (4 bytes)

0000  ff ff ff ff ff ff 00 50 8b 6a 0a 1b 08 00 45 00   .......P.j....E.

0010  00 20 aa a2 00 00 80 11 80 27 ww xx yy zz ff ff   . .......'......

0020  ff ff 04 06 07 6c 00 0c 34 83 49 6e 66 6f 00 00   .....l..4.Info..

0030  00 00 00 00 00 00 00 00 00 00 00 00               ............    



The contents of this message and any attachments are 
intended solely for the addressee's use and may be legally 
privileged and/or confidential. If you are not the 
addressee indicated in this message, any retention,
distribution, copying or use of this message is strictly
prohibited. If you received this message in error, kindly
notify the sender immediately by reply e-mail and then
destroy the message and any copies thereof.

Opinions, conclusions and other information in this 
message must be understood as neither given nor 
endorsed by Old Mutual Banking Services and may be 
personal to the sender. Since e-mail communication
cannot be guaranteed to be secure, Old Mutual Banking
Services does not make any representation or give any 
guarantee concerning the confidentiality, security,
accuracy or completeness of any e-mail. Any liability for
viruses is excluded to the fullest extent permitted by law.


More information about the list mailing list