• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Default Block SSDP Reports

I have a few queries about the continual stream of Default Block SSDP messages reported by NS on my Windows 7 laptop.
The message I get is –

Rule “Default Block SSDP” rejected UDP(17) traffic with (192.168.1.1 Port ssdp(1900))

The traffic details give protocol as UDP(17), direction inbound, local IP 239.255.255.250, remote host 192.168.1.1, remote service port ssdp(1900), and adaptor index as 13. The NS reports in bursts of 28 times/second with 30 second gaps from the time Intrusion Detection is up and running – regardless of whether or not I am logged on.

My local network is my laptop wirelessly connected to a router (UPnP set off, firewall set on). Both NS and MWB give it a clean bill of health. My printer is USB connected if and when required. A chromebook is also used occasionally (wirelessly). My router is an old, basic, Siemans SE572. I don’t know how long this has been going on since I have only recently started to look at NS Full History reports. Speed is normal.

I do not get the messages if I use the laptop at the local library (presumably different router, probably different ISP).
 
This issue seems to crop up occasionally in the forums (not so much recently). The expert opinion seems to be that this is down to some normal operation of the router, and not externally instigated ie a local network only issue. And nothing to be concerned about – although others high-light the growing exploitation of ssdp vulnerabilities.
I am aware that the 230.255.255.250 address has something to with uni or multcasting; and 192.168.1.1 is the local address of my router.

Nevertheless, I would welcome any clarification as to just what is going on. I do have a concern about the relative rarity of this issue and the sheer frequency of this traffic.

    I assume ‘incoming’ means incoming from the router to my laptop? As opposed to incoming from ‘outside’?

    Why would multicast be involved?

    What does ‘Adaptor Index 13’ mean?

    I know I can switch off the reporting – but is there a way of stopping the transactions?

    In particular, what are the transactions likely to do if they were not blocked? (As I may be getting a new, additional,     PC shortly, without pre-installed security, I would be going through the set-up process to download NS via the internet     whilst, presumably, handling lots of these unblocked ssdp transactions).

Any thoughts welcome.

Peter

Replies

Kudos0

Re: Default Block SSDP Reports

Local IP addresses are not routable on the internet, so this is a device on your network at that address that is basically doing a shout-out to any other device that might be listening (multicasting).  If 192.168.1.1 is your router, then it is the router announcing itself.  Double check that UPnP is disabled in the router settings.

Kudos0

Re: Default Block SSDP Reports

Thanks. UPnP is definitely marked as 'off' on the router web page. Curious.

Peter

Kudos0

Re: Default Block SSDP Reports

Kudos0

Re: Default Block SSDP Reports

Marazan:

Thanks. UPnP is definitely marked as 'off' on the router web page. Curious.

What about WPS in the router?  Have you disabled that as well?

Kudos0

Re: Default Block SSDP Reports

Thanks bjm and SendOfJive.

I cannot see any option/reference to WPS on the router web page (nor any hardware button other than 'reset'). Given that connecting both my laptop and chromebook  was very simple, I would tend to the view it is fixed 'on'.

(Probably a daft thought, but I suppose I couldn't be picking up a multicast 'shout' from a nearby router?).

Peter

Kudos0

Re: Default Block SSDP Reports

I tried changing channels on the router (11 to 6) - this didn't make any difference.

However, stopping and resuming ssdp via Task Manager stops and restarts the flood of Norton' default block ssdp' reports. I think my next step is to actually disable ssdp (once I've convinced myself it is safe to do so!).

But I'm having difficulties reconciling this with what NS is supposedly telling me: ie NS is apparently reporting on a constant flood of *incoming* messages on what I understand to be my router's local address - and yet I can stop these by stopping ssdp. I can see that this would stop ssdp sending messages to the router, but why would it stop the router sending out messages? Or am I misinterpreting the NS report?

Peter

Kudos0

Re: Default Block SSDP Reports

I'm not sure why you are concerned about this.  SSDP is a protocol associated with UPnP and Norton allows it on networks where sharing is enabled.  Norton blocks it otherwise.  Something on your local network is announcing its presence, and Norton is not allowing that traffic access to your PC because, based on your network settings, it is not needed.  The log entries are just recording the actions that Norton is taking.  There is no security issue, or any other issue here.

This thread is closed from further comment. Please visit the forum to start a new thread.