Quantcast
Channel: Admins Goodies » upnp
Viewing all articles
Browse latest Browse all 9

Network flooded with M-SEARCH packets: what does it mean?

0
0

Question

I just fired up Wireshark on my computer in my apartment and I noticed that another computer on the apartment building’s network was sending out a lot of HTTP over UDP packets (about 18-20 per second…maybe not a “flood”, but a lot) with the request line M-SEARCH * HTTP/1.1. Now, I am not the network administrator, and I have no control over whichever computer is sending out those packets, so I’m investigating this merely for my own curiosity.

Here’s the information of a typical packet as reported by Wireshark:

--UDP--
Source port: 50623
Destination port: ssdp (1900)
Length: 140
--HTTP--
Request Method: M-SEARCH
Request URI: *
Request Version: HTTP/1.1
MX: 3rn
HOST: 239.255.255.250:1900rn
MAN: "ssdp:discover"rn
ST: urn:schemas-upnp-org:service:WANIPConnection:1rn

I did some Googling and found a link suggesting that this could be related to Windows Messenger; the only difference is that that web page says the search target should be urn:schemas-upnp-org:device:InternetGatewayDevice:1 but the packets I’m seeing have a search target of urn:schemas-upnp-org:device:WANIPConnection:1 or urn:schemas-upnp-org:device:WANPPPConnection:1.

I also found another link suggesting that it could be related to the Downadup worm, but that web page says that the worm should be sending out packets with four different search targets, namely the two I’m seeing as well as urn:schemas-upnp-org:device:InternetGatewayDevice:1 and upnp:rootdevice. I’m not sure whether the absence of the other two search targets indicate that this is not the Downadup worm.

And I found yet another link which mentions something to do with Universal Plug-and-Play but I really don’t know enough about UPnP to interpret what they’re talking about on that page.

Does anyone recognize this situation and can tell me what might have been going on with that other computer?

P.S. Incidentally: since I started writing this message, the packet stream seems to have stopped.

Answer

These are UPnP discovery packets. Their purpose is to discover UPnP devices like home routers or media servers. For example, Windows Live Messenger tries to discover the home router behind which it is connected in order to redirect some network ports automatically.

The rate is unusual, though. It is normal to receive a lot of these packets on a large Ethernet network because they are usually sent to the broadcast address, but receiving 18-20 per second from a single computer is abnormal.


Viewing all articles
Browse latest Browse all 9

Latest Images

Trending Articles





Latest Images