[Dshield] Multicast traffic on my Linksys router

John Sage jsage at finchhaven.com
Mon Jun 16 12:23:44 GMT 2003


Laurent:

Seeing anything like this:

15:29:31.304433 < 192.168.1.80 > 239.255.255.250: igmp nreport 239.255.255.250 [ttl 1]
 (id 73, optlen=4 RA)
15:29:31.322385 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 344 (ttl 4, id 74)
15:29:31.390737 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 346 (ttl 4, id 75)
15:29:31.548079 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 309 (ttl 4, id 76)
15:29:31.707252 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 300 (ttl 4, id 77)
15:29:32.704013 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 344 (ttl 4, id 78)
15:29:32.705619 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 346 (ttl 4, id 79)
15:29:32.707077 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 309 (ttl 4, id 80)
15:29:32.708523 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 300 (ttl 4, id 81)
15:29:33.705471 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 344 (ttl 4, id 82)
15:29:33.707106 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 346 (ttl 4, id 83)
15:29:33.708572 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 309 (ttl 4, id 84)
15:29:33.710031 < 192.168.1.80.1900 > 239.255.255.250.1900: udp 300 (ttl 4, id 85)
15:29:33.967233 < arp who-has 192.168.1.80 tell 192.168.1.90
15:29:33.967358 < arp reply 192.168.1.80 is-at 0:a0:c0:2a:ea:f4
15:29:33.968290 < 192.168.1.90.1027 > 192.168.1.80.www: S 40679160:40679160(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 5)
15:29:33.968560 < 192.168.1.80.www > 192.168.1.90.1027: S 1744758366:1744758366(0) ack 40679161 win 65535 <mss 1460> (ttl 48, id 86)
15:29:33.969170 < 192.168.1.90.1027 > 192.168.1.80.www: . 1:1(0) ack 1 win 17520 (DF) (ttl 128, id 6)
15:29:34.027872 < 192.168.1.90.1027 > 192.168.1.80.www: P 1:246(245) ack 1 win 17520 (DF) (ttl 128, id 8)
15:29:34.030652 < 192.168.1.80.www > 192.168.1.90.1027: . 1:1461(1460) ack 246 win 65290 (ttl 48, id 87)
15:29:34.030782 < 192.168.1.80.www > 192.168.1.90.1027: P 1461:1493(32) ack 246 win 65290 (ttl 48, id 88)
15:29:34.034682 < 192.168.1.90.1027 > 192.168.1.80.www: . 246:246(0) ack 1493 win 17520 (DF) (ttl 128, id 10)
15:30:34.562971 < 192.168.1.90.1027 > 192.168.1.80.www: R 40679406:40679406(0) win 0 (DF) (ttl 128, id 11)
15:30:55.724817 < 192.168.1.90.1028 > 239.255.255.250.1900: udp 116 [ttl 1] (id 12)


After quickly looking back at my notes about the Simple Service
Discovery Protocol, I'm willing to bet that what you're seeing is
nothing more than what it seems: a busy little device (the Linksys
BEFSR41) that is shouting "here I am.. here I am.." just in case a new
device should appear on your network.

> Upon reading a bit around, it seems it could be related to the UPnP
> fantaisy from Microsoft, but I am not using that facility.

You may not know you are, but that doesn't mean that Linksys isn't...

Realize that there's a *lot* of traffic on networks these days that,
while you might not immediately recognize, never-the-less serves some
real purpose.

Post some packet captures (with payloads..) if you think there's
something really suspicious going on.


On Mon, Jun 16, 2003 at 01:17:56AM -0700, Laurent Saplairoles wrote:
> Hello all
> I am turning to the Dshield common knowledge to try to shed some light
> on a problem I am meeting:
> 
> I have noticed some traffic going on on my local network (192.168.1.x)
> that simply shouldn't be there.
> 
> My network is behind a Linksys BEFSR41 that have recently upgreaded to
> the latest firmware (Dec 2002).
> 
> Basically, what I am seeing is TCP packets (HTTP1.1) going from the
> Linksys internal adapter (192.168.1.1) to the multicast address:
> 239.255.255.250:1900. The type of packet is SSDP (I can post packets
> to the list if you want)
> 
> This traffic only appears with a packet sniffer (ethereal). It does
> not appear in the Linksys' logs. 
> 
> It goes by bunch of 10 packets or so, then stops for a short while
> (30s?) and does it again. 
> 
> There is noone participating in a multicast on my network.
> 
> Upon reading a bit around, it seems it could be related to the UPnP
> fantaisy from Microsoft, but I am not using that facility.
> 
> My systems are a mix of Win 98SE, ME and 2000 worstations with
> (almost) up-to-date patches + the occasional Linux (Mandrake 9.1). No
> WinXP. The only thing on my network that mentions UPnP is the Linksys
> itself.
> 
> More strangely, I have just seen exactly the same traffic on a
> friend's network who only runs Win2K.
> 
> Do you guys have any explanation? Do you know how to stop this useless
> traffic?
> 
> By the way, is SQL Slammer using a multicast address to propagate? I
> got real strange traffic the other day (I blocked it at my firewall
> but it brought down my ISP!) and Snort claimed it was SQLSlammer. I
> will try to get the logs and post more details though.
> 
> Thanks in advance for your input.
> 
> -- 
> Laurent
> Sacha Guitry (1895 - 1957)
> Le cTlibat, on s'ennuie. Le mariage, on a des ennuis.


- John
-- 
"Obviously, we do not want to leave zombies around."

See our exciting, all-new look! http://www.finchhaven.com/




More information about the list mailing list