Solved

Windows 7 Port 1900UDP Linksys RV042 Synflood Alerts?

Posted on 2010-08-16
5
1,693 Views
Last Modified: 2012-05-10
Hello Experts,

I'm getting from my RV042 router alerts about synflooding that's occuring on the network... here's a sample of the log:

Sun Aug 15 22:04:35 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:35 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 2 second(s) ago
Sun Aug 15 22:04:33 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:33 2010
RGFW-RATELIMIT: 1 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 22:04:32 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:32 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 29 second(s) ago
Sun Aug 15 22:04:03 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:03 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:04:00 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:00 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:03:57 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:03:57 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 85 second(s) ago
Sun Aug 15 22:02:31 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:02:31 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:02:29 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:02:29 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:02:26 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:19 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:18 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:18 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:17 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:17 2010
RGFW-RATELIMIT: 1 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:16 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:15 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:15 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:14 2010

Note that 192.168.1.24, .25 and .30 are 3 windows 7 machines that were recently added to the network.  

I did a bit of googling and it looks like the machines might be generating UPnP traffic?  Can someone confirm this, and how would I go about stopping them from broadcasting this, so that my firewall log doesn't send me these what appear to be false positive alerts...

Thanks!
0
Comment
Question by:taki1gostek
  • 3
  • 2
5 Comments
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33445757
You are correct about UPnP and SSDP using udp 1900.
If you don't want Windows 7 to discover network devices, disable SSDP Discovery service.
To disable UPnP, stop the UPnP Device Host service.
Set both service startup to disabled to prevent them from starting on next reboot.

Even with both services disabled, you still may see the broadcasts, if so, make the following reg change:
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
Name: UPnPMode
Type: REG_DWORD
Value: 2 disabled
With UPnPMode=2, Universal Plug and Play Network Address Translation (NAT) traversal discovery does not occur.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33445976
thanks for the tip -- any chance I could make this happen using GP?
0
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33447476
See the image for the location in GP to control services.

For the reg change.  You can create a .reg file and execute it through the logon script.
0
 
LVL 5

Accepted Solution

by:
TechnicallyMaybe earned 250 total points
ID: 33447483
Sorry - here is the image I was referring to.
image15.png
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33454210
Thanks, technically, maybe :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now