Windows 7 Port 1900UDP Linksys RV042 Synflood Alerts?

Hello Experts,

I'm getting from my RV042 router alerts about synflooding that's occuring on the network... here's a sample of the log:

Sun Aug 15 22:04:35 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:35 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 2 second(s) ago
Sun Aug 15 22:04:33 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:33 2010
RGFW-RATELIMIT: 1 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 22:04:32 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:32 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 29 second(s) ago
Sun Aug 15 22:04:03 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:03 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:04:00 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:00 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:03:57 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:03:57 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 85 second(s) ago
Sun Aug 15 22:02:31 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:02:31 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:02:29 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:02:29 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:02:26 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:19 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:18 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:18 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:17 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:17 2010
RGFW-RATELIMIT: 1 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:16 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:15 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:15 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:14 2010

Note that 192.168.1.24, .25 and .30 are 3 windows 7 machines that were recently added to the network.  

I did a bit of googling and it looks like the machines might be generating UPnP traffic?  Can someone confirm this, and how would I go about stopping them from broadcasting this, so that my firewall log doesn't send me these what appear to be false positive alerts...

Thanks!
LVL 2
taki1gostekAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
TechnicallyMaybeConnect With a Mentor Commented:
Sorry - here is the image I was referring to.
image15.png
0
 
TechnicallyMaybeCommented:
You are correct about UPnP and SSDP using udp 1900.
If you don't want Windows 7 to discover network devices, disable SSDP Discovery service.
To disable UPnP, stop the UPnP Device Host service.
Set both service startup to disabled to prevent them from starting on next reboot.

Even with both services disabled, you still may see the broadcasts, if so, make the following reg change:
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
Name: UPnPMode
Type: REG_DWORD
Value: 2 disabled
With UPnPMode=2, Universal Plug and Play Network Address Translation (NAT) traversal discovery does not occur.
0
 
taki1gostekAuthor Commented:
thanks for the tip -- any chance I could make this happen using GP?
0
 
TechnicallyMaybeCommented:
See the image for the location in GP to control services.

For the reg change.  You can create a .reg file and execute it through the logon script.
0
 
taki1gostekAuthor Commented:
Thanks, technically, maybe :)
0
All Courses

From novice to tech pro — start learning today.