Default Block Upnp Discovery (1900) / Default Block LLMNR

Some info:

 

1 PC and 1 Laptop in the household

1 router connected to the PC. The Laptop use a WPA-key to access internet.

 

All of a sudden I see in my norton (NIS) log, that Default Block Upnp Discovery (port: 1900) and  Default Block LLMNR (port: 5355, 55949 etc) is popping up and its coming from my laptop. The program is svchost.exe.

 

Is this suspicious activity or what is this?

Hi brucegan,

 

These are both instances of devices on your Local Area Network using multicasting to communicate to any other device on the network that is listening.  Whether this traffic is allowed to enter your computer or not is controlled by the firewall through the Network Security Map.  If you have sharing enabled, this traffic would be allowed, as it makes it easier for devices to work together without the need for the user to make manual configuration changes.  If you do not share, then Norton blocks the traffic for a bit of additional safety.  What you are seeing is not suspicious, and is just Norton reporting how it is managing the traffic that it is monitoring.


SendOfJive wrote:

Hi brucegan,

 

These are both instances of devices on your Local Area Network using multicasting to communicate to any other device on the network that is listening.  Whether this traffic is allowed to enter your computer or not is controlled by the firewall through the Network Security Map.  If you have sharing enabled, this traffic would be allowed, as it makes it easier for devices to work together without the need for the user to make manual configuration changes.  If you do not share, then Norton blocks the traffic for a bit of additional safety.  What you are seeing is not suspicious, and is just Norton reporting how it is managing the traffic that it is monitoring.



Ok yes I see its coming from my laptop and sharing is not allowed. Why does this happen? What kind of information is the laptop sending or trying to do? Is there a certain software installed on the laptop that cause this etc?

These are just protocols that computers use to find and communicate with each other on a local network.  There is nothing inherently sinister about them.  Universal Plug n Play, if it is enabled, will periodically do a shout-out to announce the device's presence on the network to any other UPnP-enabled device.  It is very common and most UPnP discovery multicasts will come from UPnP-enabled routers on a home network.  Link-Local Multicast Name Resolution is a way for computers on a subnet to find each other's address and is not routable to the internet.  You can read about it here:

 

http://www.windowsnetworking.com/articles_tutorials/Overview-Link-Local-Multicast-Name-Resolution.html

Ok, I saw that Upnp is enabled in my router settings. Is this necessary? Would it be better if it was disabled?

There is a theoretical security advantage to having it disabled if you don't need it. If you do need it, you shouldn't worry, as an exploit is rather unlikely, and Norton would block it in either case.

Bambastus, ok, I dont know much about this but as I said in the first post:

 

"1 PC and 1 Laptop in the household

1 router connected to the PC. The Laptop use a WPA-key to access internet."

 

Do I need to have upnp enabled to make the above work?

Hi brucegan,

 

UPnP in the router allows programs on your UPnP-enabled computer to open ports in the router for internet communication.  This can save the user from having to make port forwarding configurations in the router manually for certain applications, such as games.  The slight security drawback that Bombastus mentioned is that if legitimate programs can do this, so can malware, and, unfortunately, UPnP does not alert the user that changes have been made to the router settings.  The reason this is only a minor issue is that if this situation occurs on your system, then you are already infected.  Also, Norton's firewall should detect the outbound traffic related to the malware and block it, while alerting you to the issue.  So yes, it is slightly safer to disable UPnP in the router, but it is not so important that you should do so if UPnP is providing some benefit to you.  You do not need UPnP enabled in the router for normal browsing or other internet activities - really it is mostly used for gaming or other specific types of programs.