Any ideas what this is about?

Apologies if this in in the wrong part of the forum.

Just installed Look'n'Stop firewall, trying to get my head around things and looking at the logs, came across an entry that showed my PC was trying to contact this IP address which came up with like this on a Whois was done:

05/01/04 18:13:40 IP block 239.255.255.250
Trying 239.255.255.250 at ARIN
Trying 239.255.255 at ARIN

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 224.0.0.0 - 239.255.255.255
CIDR: 224.0.0.0/4
NetName: MCAST-NET
NetHandle: NET-224-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: FLAG.EP.NET
NameServer: STRUL.STUPI.SE
NameServer: NS.ISI.EDU
NameServer: NIC.NEAR.NET
Comment: This block is reserved for special purposes.
Comment: Please see RFC 3171 for additional information.
Comment:
RegDate: 1991-05-22
Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN

OrgTechHandle: IANA-IP-ARIN

There is no Reverse DNS when a lookup was done.

Now, my question is, What is the 'special purposes' mentioned above, who is running the IP address and should I allow this to happen??

It was a UDP protocol from my port 3755 to their 1900 and the packet contained this:
0000:4D 2D 53 45 41 52 43 48 M-SEARCH
0008:20 2A 20 48 54 54 50 2F * HTTP/
0010:31 2E 31 0D 0A 48 6F 73 1.1..Hos
0018:74 3A 32 33 39 2E 32 35 t:239.25
0020:35 2E 32 35 35 2E 32 35 5.255.25
0028:30 3A 31 39 30 30 0D 0A 0:1900..
0030:53 54 3A 75 70 6E 70 3A ST:upnp:
0038:72 6F 6F 74 64 65 76 69 rootdevi
0040:63 65 0D 0A 4D 61 6E 3A ce..Man:
0048:22 73 73 64 70 3A 64 69 "ssdp:di
0050:73 63 6F 76 65 72 22 0D scover".
0058:00 00 00 00 00 00 00 00 ........
0060:00 .

Now it may be innocent, but I don't like the words "ssdp:discover"

Anyone know what this is about?

BTW, like this forum, it appears to be objective and more to the point, relatively up to date.

 

This seems to be traffic generated by the Windows services "SSDP Discovery Service" and "Universal Plug & Play".

You should be able to safely disable them, either in the Windows services manager or by using this little tool :

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

It is safe to block this kind of traffic, unless your computer relies on a gateway and need automatic gateway discovery.

regards,

gkweb.

 

Thanks for that. I was oblivious to this type of thing before. It was the 'special purposes' that raised my suspicions!!

 

Hello gkweb,

Your WWDC tool is a small, but very nice peace of software!!
Thank you very much for offering this tool to all of us!
I have lots of colleagues, who are not so familiar with the Windows services, and using WWDC is a simple and fast way for them to disable these ugly holes in Win-2k and XP!!

Thanks a lot,
Thomas

 

Thanks you Thomas

 

Colin,
I've been bugged by them today, and it's not the first time. Someone is using it as a front to get in. If your firewall is blocking it, not to worry.
Berry

 

Must admit, stopped using Look'n'stop becuase I couldn't set it up for my needs. My Peer to Peer network was just sooooo flaky.

However, I got this everytime I started up, or at least, that is what was reported. Still not sure if it was a threat or not. I have also since loaded TDS-3 to see if I had some trojan running, appears not and all Malware/Spyware is cleaned by the 'Usual Suspects'

I just get suspicious when something says that is is for 'special purposes' - if it's that special - and of course beneficial, why can't we find out what it's for!!

 

Hi ceejay13,

You probably didn't disable the Statefull Packet Inspection (SPI) ? which is known to cause problem with a massive amount of connections.

regards,

gkweb.

 

Thanks gkweb,

Yes, the problems were the SPI, but I had made a rule to allow the MAC addresses of the other systems to be 'trusted' for all types of comms - I would have thought that this was enough.

However, because I set up everything and all was OK and then I would come back next day and I couldn't connect, I decided that I had to have a reliable connection in the network for backing up my main system to my Laptop. This is usually done at the last minute and as I couldn't 'trust' that the connection would be there, I decided to change to Kerio, which I was evaluating on another system and was a lot easier to set up. I may install LNS on a less critical system when I understand LNS a bit more and have some time to 'play'.

Thanks for your help, and I will still be 'lurking' in this forum to stay in touch with developments