[Dshield] Multicast traffic on my Linksys router

Laurent Saplairoles lsaplai at telus.net
Mon Jun 16 08:17:56 GMT 2003


Hello all
I am turning to the Dshield common knowledge to try to shed some light on a 
problem I am meeting:

I have noticed some traffic going on on my local network (192.168.1.x) that simply 
shouldn't be there.
My network is behind a Linksys BEFSR41 that have recently upgreaded to the latest 
firmware (Dec 2002).

Basically, what I am seeing is TCP packets (HTTP1.1) going from the Linksys 
internal adapter (192.168.1.1) to the multicast address: 239.255.255.250:1900. The 
type of packet is SSDP
(I can post packets to the list if you want)

This traffic only appears with a packet sniffer (ethereal). It does not appear in the 
Linksys' logs.
It goes by bunch of 10 packets or so, then stops for a short while (30s?) and does it 
again.
There is noone participating in a multicast on my network.

Upon reading a bit around, it seems it could be related to the UPnP fantaisy from 
Microsoft, but I am not using that facility.

My systems are a mix of Win 98SE, ME and 2000 worstations with (almost) up-to-
date patches + the occasional Linux (Mandrake 9.1). No WinXP.
The only thing on my network that mentions UPnP is the Linksys itself.

More strangely, I have just seen exactly the same traffic on a friend's network who 
only runs Win2K.

Do you guys have any explanation? Do you know how to stop this useless traffic?

By the way, is SQL Slammer using a multicast address to propagate? I got real 
strange traffic the other day (I blocked it at my firewall but it brought down my ISP!) 
and Snort claimed it was SQLSlammer. I will try to get the logs and post more details 
though.

Thanks in advance for your input.

-- 
Laurent
Sacha Guitry (1895 - 1957)
Le cTlibat, on s'ennuie. Le mariage, on a des ennuis.






More information about the list mailing list