Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows 7 Port 1900UDP Linksys RV042 Synflood Alerts?

Posted on 2010-08-16
5
Medium Priority
?
1,778 Views
Last Modified: 2012-05-10
Hello Experts,

I'm getting from my RV042 router alerts about synflooding that's occuring on the network... here's a sample of the log:

Sun Aug 15 22:04:35 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:35 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 2 second(s) ago
Sun Aug 15 22:04:33 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:33 2010
RGFW-RATELIMIT: 1 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 22:04:32 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:32 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 29 second(s) ago
Sun Aug 15 22:04:03 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:03 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:04:00 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:04:00 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:03:57 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.30:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:03:57 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 85 second(s) ago
Sun Aug 15 22:02:31 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:02:31 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:02:29 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 22:02:29 2010
RGFW-RATELIMIT: 5 messages of type BLOCK-SYNFLOOD reported 3 second(s) ago
Sun Aug 15 22:02:26 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.24:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:19 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:18 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:18 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:17 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:17 2010
RGFW-RATELIMIT: 1 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:16 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:15 2010
RGFW-IN: BLOCK-RULES (UDP 192.168.1.25:1900->239.255.255.250:1900 on ixp1) [20,1]
Sun Aug 15 21:57:15 2010
RGFW-RATELIMIT: 2 messages of type BLOCK-SYNFLOOD reported 1 second(s) ago
Sun Aug 15 21:57:14 2010

Note that 192.168.1.24, .25 and .30 are 3 windows 7 machines that were recently added to the network.  

I did a bit of googling and it looks like the machines might be generating UPnP traffic?  Can someone confirm this, and how would I go about stopping them from broadcasting this, so that my firewall log doesn't send me these what appear to be false positive alerts...

Thanks!
0
Comment
Question by:taki1gostek
  • 3
  • 2
5 Comments
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33445757
You are correct about UPnP and SSDP using udp 1900.
If you don't want Windows 7 to discover network devices, disable SSDP Discovery service.
To disable UPnP, stop the UPnP Device Host service.
Set both service startup to disabled to prevent them from starting on next reboot.

Even with both services disabled, you still may see the broadcasts, if so, make the following reg change:
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
Name: UPnPMode
Type: REG_DWORD
Value: 2 disabled
With UPnPMode=2, Universal Plug and Play Network Address Translation (NAT) traversal discovery does not occur.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33445976
thanks for the tip -- any chance I could make this happen using GP?
0
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33447476
See the image for the location in GP to control services.

For the reg change.  You can create a .reg file and execute it through the logon script.
0
 
LVL 5

Accepted Solution

by:
TechnicallyMaybe earned 1000 total points
ID: 33447483
Sorry - here is the image I was referring to.
image15.png
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33454210
Thanks, technically, maybe :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This program is used to assist in finding and resolving common problems with wireless connections.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question