Not what you are looking for? Ask the experts!
Default Block SSDP Reports
I have a few queries about the continual stream of Default Block SSDP messages reported by NS on my Windows 7 laptop.
The message I get is –
Rule “Default Block SSDP” rejected UDP(17) traffic with (192.168.1.1 Port ssdp(1900))
The traffic details give protocol as UDP(17), direction inbound, local IP 220.127.116.11, remote host 192.168.1.1, remote service port ssdp(1900), and adaptor index as 13. The NS reports in bursts of 28 times/second with 30 second gaps from the time Intrusion Detection is up and running – regardless of whether or not I am logged on.
My local network is my laptop wirelessly connected to a router (UPnP set off, firewall set on). Both NS and MWB give it a clean bill of health. My printer is USB connected if and when required. A chromebook is also used occasionally (wirelessly). My router is an old, basic, Siemans SE572. I don’t know how long this has been going on since I have only recently started to look at NS Full History reports. Speed is normal.
I do not get the messages if I use the laptop at the local library (presumably different router, probably different ISP).
This issue seems to crop up occasionally in the forums (not so much recently). The expert opinion seems to be that this is down to some normal operation of the router, and not externally instigated ie a local network only issue. And nothing to be concerned about – although others high-light the growing exploitation of ssdp vulnerabilities.
I am aware that the 18.104.22.168 address has something to with uni or multcasting; and 192.168.1.1 is the local address of my router.
Nevertheless, I would welcome any clarification as to just what is going on. I do have a concern about the relative rarity of this issue and the sheer frequency of this traffic.
I assume ‘incoming’ means incoming from the router to my laptop? As opposed to incoming from ‘outside’?
Why would multicast be involved?
What does ‘Adaptor Index 13’ mean?
I know I can switch off the reporting – but is there a way of stopping the transactions?
In particular, what are the transactions likely to do if they were not blocked? (As I may be getting a new, additional, PC shortly, without pre-installed security, I would be going through the set-up process to download NS via the internet whilst, presumably, handling lots of these unblocked ssdp transactions).
Any thoughts welcome.