[opensuse] A router has become talkative on 'ssdp', should I allow or not? And how?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have just noticed frequent rejection messages in the firewall log: <0.4> 2016-03-02 12:53:42 Telcontar kernel - - - [170676.016540] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:08:00 SRC=192.168.1.5 DST=192.168.1.14 LEN=348 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=10277 LEN=328 The originator is a secondary router which I use to provide WiFi in my network. The destination is my desktop computer. The source port I can identify as "ssdp', but the destination port is not registered to any service. Should I open it, and would it give me any advantage? https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet Protocol Suite for advertisement and discovery of network services and presence information. It accomplishes this without assistance of server-based configuration mechanisms, such as the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS), and without special static configuration of a network host. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments. It was formally described in an IETF Internet draft by Microsoft and Hewlett-Packard in 1999. Although the IETF proposal has since expired,[1] SSDP was incorporated into the UPnP protocol stack, and a description of the final implementation is included in UPnP standards documents.[2] (I find it strange to open a port such as 10277) I have started wireshark listening to traffic from 192.168.1.5, and I see it is sending those packages I see in the firewall, and others to 239.255.255.250, which I find strange. Must be a broadcast. Some data extracted by wireshark: 1 11:46:10.048629000 192.168.1.5 192.168.1.14 SSDP 362 HTTP/1.1 200 OK Frame 1: 362 bytes on wire (2896 bits), 362 bytes captured (2896 bits) on interface 0 Ethernet II, Src: Tp-LinkT_91:f4:22 (f8:1a:67:91:f4:22), Dst: Micro-St_16:2d:0b (00:21:85:16:2d:0b) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 192.168.1.14 (192.168.1.14) User Datagram Protocol, Src Port: 1900 (1900), Dst Port: 10277 (10277)Hypertext Transfer Protocol - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlbW4asACgkQtTMYHG2NR9VMAgCfbEHs0gHiVyYoNjF5L34MDCyW yGEAnAlBXGqckPPEA+2UUbrht9gjg+zT =OZ5t -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/02/2016 07:50 AM, Carlos E. R. wrote:
I have started wireshark listening to traffic from 192.168.1.5, and I see it is sending those packages I see in the firewall, and others to 239.255.255.250, which I find strange. Must be a broadcast.
It's multicast. Multicast is used by many services. For example, I have a Yamaha A/V receiver and an app for it on my tablet & smart phone. Those devices listen for the multicast packets to find the receiver. Multiecast is also used for Windows/Samba file sharing and even NTP can be configured to use it, among many other uses. BTW, with IPv6, there's no longer a broadcast address. There's various types of multicast, including all hosts, which takes the place of broadcasts to the local network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, From the look of it you have UPnP enabled on your router and it is attempting to auto-discover any ports you want exposed to the outside world. It appears to be attempting to auto-discover any ports you want forwarded. That's just based on a quick scan of the draft, so I could easily be wrong. The simplest thing to do is check the router and see if you have UPnP enabled. Then check if there's also some auto-discovery option that's enabled. If you do have auto-discovery enabled, you could try disabling it and see if the messages stop being sent (of course, it may not give you the option to disable it separately, either). If you're not using UPnP on that router, you could just try disabling it completely, which ought to shut off the message traffic. Brendan On 02/03/16 12:50, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I have just noticed frequent rejection messages in the firewall log:
<0.4> 2016-03-02 12:53:42 Telcontar kernel - - - [170676.016540] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:08:00 SRC=192.168.1.5 DST=192.168.1.14 LEN=348 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=10277 LEN=328
The originator is a secondary router which I use to provide WiFi in my network. The destination is my desktop computer.
The source port I can identify as "ssdp', but the destination port is not registered to any service. Should I open it, and would it give me any advantage?
https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol
The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet Protocol Suite for advertisement and discovery of network services and presence information. It accomplishes this without assistance of server-based configuration mechanisms, such as the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS), and without special static configuration of a network host. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments. It was formally described in an IETF Internet draft by Microsoft and Hewlett-Packard in 1999. Although the IETF proposal has since expired,[1] SSDP was incorporated into the UPnP protocol stack, and a description of the final implementation is included in UPnP standards documents.[2]
(I find it strange to open a port such as 10277)
I have started wireshark listening to traffic from 192.168.1.5, and I see it is sending those packages I see in the firewall, and others to 239.255.255.250, which I find strange. Must be a broadcast.
Some data extracted by wireshark:
1 11:46:10.048629000 192.168.1.5 192.168.1.14 SSDP 362 HTTP/1.1 200 OK
Frame 1: 362 bytes on wire (2896 bits), 362 bytes captured (2896 bits) on interface 0 Ethernet II, Src: Tp-LinkT_91:f4:22 (f8:1a:67:91:f4:22), Dst: Micro-St_16:2d:0b (00:21:85:16:2d:0b) Internet Protocol Version 4, Src: 192.168.1.5 (192.168.1.5), Dst: 192.168.1.14 (192.168.1.14) User Datagram Protocol, Src Port: 1900 (1900), Dst Port: 10277 (10277)Hypertext Transfer Protocol
- -- Cheers
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlbW4asACgkQtTMYHG2NR9VMAgCfbEHs0gHiVyYoNjF5L34MDCyW yGEAnAlBXGqckPPEA+2UUbrht9gjg+zT =OZ5t -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-03-02 21:04, Brendan McKenna wrote:
Hi,
From the look of it you have UPnP enabled on your router and it is attempting to auto-discover any ports you want exposed to the outside world. It appears to be attempting to auto-discover any ports you want forwarded.
That's just based on a quick scan of the draft, so I could easily be wrong. The simplest thing to do is check the router and see if you have UPnP enabled. Then check if there's also some auto-discovery option that's enabled. If you do have auto-discovery enabled, you could try disabling it and see if the messages stop being sent (of course, it may not give you the option to disable it separately, either). If you're not using UPnP on that router, you could just try disabling it completely, which ought to shut off the message traffic.
Yes, it makes sense. I should have known. I will seek the option and disable it in the router, because this one is not facing outside. In fact, the "wan" is not connected, I only use the internal side. Thanks. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlbXegEACgkQja8UbcUWM1ziUQEAm8R6cLKGT6gVwnxxmhPoVZnB fuAcSzVPRcVwL/cnw50BAIYrbaG3hl5TgrEomuG4oOjU7QTV98wBJFJ34A0GJqv9 =W8Ux -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Brendan McKenna -
Carlos E. R. -
James Knott