22

I just fired up Wireshark on my computer in my apartment and I noticed that another computer on the apartment building's network was sending out a lot of HTTP over UDP packets (about 18-20 per second...maybe not a "flood", but a lot) with the request line M-SEARCH * HTTP/1.1. Now, I am not the network administrator, and I have no control over whichever computer is sending out those packets, so I'm investigating this merely for my own curiosity.

Here's the information of a typical packet as reported by Wireshark:

--UDP--
Source port: 50623
Destination port: ssdp (1900)
Length: 140
--HTTP--
Request Method: M-SEARCH
Request URI: *
Request Version: HTTP/1.1
MX: 3\r\n
HOST: 239.255.255.250:1900\r\n
MAN: "ssdp:discover"\r\n
ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n

I did some Googling and found a link suggesting that this could be related to Windows Messenger; the only difference is that that web page says the search target should be urn:schemas-upnp-org:device:InternetGatewayDevice:1 but the packets I'm seeing have a search target of urn:schemas-upnp-org:device:WANIPConnection:1 or urn:schemas-upnp-org:device:WANPPPConnection:1.

I also found another link suggesting that it could be related to the Downadup worm, but that web page says that the worm should be sending out packets with four different search targets, namely the two I'm seeing as well as urn:schemas-upnp-org:device:InternetGatewayDevice:1 and upnp:rootdevice. I'm not sure whether the absence of the other two search targets indicate that this is not the Downadup worm.

And I found yet another link which mentions something to do with Universal Plug-and-Play but I really don't know enough about UPnP to interpret what they're talking about on that page.

Does anyone recognize this situation and can tell me what might have been going on with that other computer?

P.S. Incidentally: since I started writing this message, the packet stream seems to have stopped.

David Z
  • 5,376
  • 2
  • 24
  • 22

6 Answers6

16

These are UPnP discovery packets. Their purpose is to discover UPnP devices like home routers or media servers. For example, Windows Live Messenger tries to discover the home router behind which it is connected in order to redirect some network ports automatically.

The rate is unusual, though. It is normal to receive a lot of these packets on a large Ethernet network because they are usually sent to the broadcast address, but receiving 18-20 per second from a single computer is abnormal.

Etienne Dechamps
  • 2,164
  • 8
  • 24
  • 28
  • Good to know... I figured it was something like that, but thanks for confirming. No speculation as to the cause, though? (virus/worm or pseudo-normal Messenger activity?) – David Z Sep 13 '09 at 21:25
4

Just in case someone else see the same packets. Yes, these are UPnP discovery packets searching for an IP router. If UPnP is enabled in your router, the software that wants to find it can add port mappings, delete port mappings, get the external ip address (the router Ip), etc.

Basically, most of the times, the code searching for a WANIPConnection or WANIPPPConnection Service Type (ST: WANIPConnection/WANIPPPConnection) wants to achieve inbound connections. This is common for P2P applications and all kind of applications that requires inbound connection. Also viruses and netbots do the same.

A NATed computer requires port forwarding to be reacheable and that only can be done from inside.

lontivero
  • 141
  • 2
3

I know this is an old post but just to share my research on the same. I had captured the same set of packets on my wireshark as well.

I had initially disabled UPnP on my Windows 7 Machine but this didn't help. After which I got rid of these noisy packets by disabling UPnP at my Router.

Deer Hunter
  • 1,070
  • 7
  • 17
  • 25
2

What to look for is that that the protocol is SSDP - the Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet Protocol Suite for advertisement and discovery of network services and presence information. -Wikipedia

What everyone should know is the IP address of every piece of equipment on their personal network ... so you should see these kinds of messages in Wireshark (as long as they remain within your network,good) find out how your nieghbor got to your network, because his equipment is trying to locate your equipment.

jasahasch
  • 21
  • 1
2

Sorry to bump this post but I see it went unanswered, this issue still exists on Windows 7

If you turn off both the SSDP discovery service and Universal Plug and Play Device Host, all SSDP traffic is not stopped; User Datagram Protocol (UDP) port 1900 traffic may be logged in firewall logs or packet filtering device logs. If you run a trace of the traffic, the following information is displayed in the data section of the packet:

 SSDP: Method = M-SEARCH
 SSDP: Uniform Resource Identifier = *
 SSDP: HTTP Protocol Version = HTTP/1.1
 SSDP: Host = 239.255.255.250:1900
 SSDP: Search Target = urn:schemas-upnp-org:device:InternetGatewayDevice:1
 SSDP: Mandatory Extension = "ssdp:discover"
 SSDP: Maximum Wait = 3 

Windows Messager sends SSDP packets, it doesn't use SSDP but creates the SSDP packets and sends them itself, (it's SSDP on it's own). You'd have to disable this in the registry.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

To resolve this issue, configure the registry to turn off the discovery messages: 1.Start Registry Editor (Regedt32.exe). 2.Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlayNATHelp\DPNHUPnP

3.On the Edit menu, click Add Value, and then add the following registry value:

 Value name: UPnPMode
 Data type: REG_DWORD
 Value data: 2 

4.Quit Registry Editor.

Josh
  • 21
  • 1
1

I just stopped and disabled the UPnP service on a windows 7 PC and I still get these so it's not coming from UPnP on my PC. I know this post is old but wanted to add that it's not necessarily UPnP.

Ian
  • 11
  • 1