Any ideas what this is about?

Discussion in 'LnS English Forum' started by ceejay13, May 1, 2004.

Thread Status:
Not open for further replies.
  1. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Apologies if this in in the wrong part of the forum.

    Just installed Look'n'Stop firewall, trying to get my head around things and looking at the logs, came across an entry that showed my PC was trying to contact this IP address which came up with like this on a Whois was done:

    05/01/04 18:13:40 IP block 239.255.255.250
    Trying 239.255.255.250 at ARIN
    Trying 239.255.255 at ARIN

    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US

    NetRange: 224.0.0.0 - 239.255.255.255
    CIDR: 224.0.0.0/4
    NetName: MCAST-NET
    NetHandle: NET-224-0-0-0-1
    Parent:
    NetType: IANA Special Use
    NameServer: FLAG.EP.NET
    NameServer: STRUL.STUPI.SE
    NameServer: NS.ISI.EDU
    NameServer: NIC.NEAR.NET
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 3171 for additional information.
    Comment:
    RegDate: 1991-05-22
    Updated: 2002-09-16

    OrgAbuseHandle: IANA-IP-ARIN

    OrgTechHandle: IANA-IP-ARIN

    There is no Reverse DNS when a lookup was done.

    Now, my question is, What is the 'special purposes' mentioned above, who is running the IP address and should I allow this to happen??

    It was a UDP protocol from my port 3755 to their 1900 and the packet contained this:
    0000:4D 2D 53 45 41 52 43 48 M-SEARCH
    0008:20 2A 20 48 54 54 50 2F * HTTP/
    0010:31 2E 31 0D 0A 48 6F 73 1.1..Hos
    0018:74 3A 32 33 39 2E 32 35 t:239.25
    0020:35 2E 32 35 35 2E 32 35 5.255.25
    0028:30 3A 31 39 30 30 0D 0A 0:1900..
    0030:53 54 3A 75 70 6E 70 3A ST:upnp:
    0038:72 6F 6F 74 64 65 76 69 rootdevi
    0040:63 65 0D 0A 4D 61 6E 3A ce..Man:
    0048:22 73 73 64 70 3A 64 69 "ssdp:di
    0050:73 63 6F 76 65 72 22 0D scover".
    0058:00 00 00 00 00 00 00 00 ........
    0060:00 .

    Now it may be innocent, but I don't like the words "ssdp:discover"

    Anyone know what this is about?

    BTW, like this forum, it appears to be objective and more to the point, relatively up to date.
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    This seems to be traffic generated by the Windows services "SSDP Discovery Service" and "Universal Plug & Play".

    You should be able to safely disable them, either in the Windows services manager or by using this little tool :

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

    It is safe to block this kind of traffic, unless your computer relies on a gateway and need automatic gateway discovery.

    regards,

    gkweb.
     
  3. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Thanks for that. I was oblivious to this type of thing before. It was the 'special purposes' that raised my suspicions!! :eek:
     
  4. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Hello gkweb,

    Your WWDC tool is a small, but very nice peace of software!!
    Thank you very much for offering this tool to all of us!
    I have lots of colleagues, who are not so familiar with the Windows services, and using WWDC is a simple and fast way for them to disable these ugly holes in Win-2k and XP!!

    Thanks a lot,
    Thomas :)
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Thanks you Thomas :)
     
  6. Berry

    Berry Guest

    Colin,
    I've been bugged by them today, and it's not the first time. Someone is using it as a front to get in. If your firewall is blocking it, not to worry.
    Berry
     
  7. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Must admit, stopped using Look'n'stop becuase I couldn't set it up for my needs. My Peer to Peer network was just sooooo flaky.

    However, I got this everytime I started up, or at least, that is what was reported. Still not sure if it was a threat or not. I have also since loaded TDS-3 to see if I had some trojan running, appears not and all Malware/Spyware is cleaned by the 'Usual Suspects' :D

    I just get suspicious when something says that is is for 'special purposes' - if it's that special - and of course beneficial, why can't we find out what it's for!! :mad:
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi ceejay13,

    You probably didn't disable the Statefull Packet Inspection (SPI) ? which is known to cause problem with a massive amount of connections.

    regards,

    gkweb.
     
  9. ceejay13

    ceejay13 Registered Member

    Joined:
    May 1, 2004
    Posts:
    34
    Location:
    Basingstoke, UK
    Thanks gkweb,

    Yes, the problems were the SPI, but I had made a rule to allow the MAC addresses of the other systems to be 'trusted' for all types of comms - I would have thought that this was enough.

    However, because I set up everything and all was OK and then I would come back next day and I couldn't connect, I decided that I had to have a reliable connection in the network for backing up my main system to my Laptop. This is usually done at the last minute and as I couldn't 'trust' that the connection would be there, I decided to change to Kerio, which I was evaluating on another system and was a lot easier to set up. I may install LNS on a less critical system when I understand LNS a bit more and have some time to 'play'.

    Thanks for your help, and I will still be 'lurking' in this forum to stay in touch with developments :D
     
Thread Status:
Not open for further replies.