[unisog] UPNP Multicast Traffic

Brian Eckman eckman at umn.edu
Thu Nov 13 15:08:32 GMT 2003


Lois Lehman wrote:
> We just started seeing this UPNP scanning from inside our campus and
> from outside destined for the multicast address, 239.255.255.250.  Does
> anyone know why this would be happening?
>  
> [**] SCAN UPNP service discover attempt [**]
> 11/12-13:18:42.359857 169.254.244.147:1412 -> 239.255.255.250:1900
> UDP TTL:1 TOS:0x0 ID:39299 IpLen:20 DgmLen:161
> Len: 133
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+ 

This is normal traffic. The best way to get rid of it is to turn off the 
SSDP Discovery service (I can't imagine you need it).

Google will tell you a lot more. Here is a decent example query, where i 
am assuming that Windows Messenger is to blame (fairly likely): 
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=windows+messenger+ssdp+discovery

Brian
-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list