I know there are other posts about NIS blocking UPnP (Universal Plug 'n Play) discovery, but they don't quite address the specific log entries I saw tonight.
I had 11 consecutive NIS 2010 firewall log entries, all with the same time stamp, that said:
Rule "Default block UPnP Discovery" blocked (<ip=static local ip of the OTHER pc on my wireless network>, Port ssdp (1900) ).
Inbound UDP packet.
Local address, service is (255.255.255.255, Port ssdp(1900) )
Remote address, service is (<ip=static local ip of the OTHER pc on my wireless network>, Port (4516) ).
Note that:
1. I already had the UPnP service disabled (both pc's).
2. I do NOT have file or printer sharing enabled at all on my network.
3.The port for the remote address actually varied between 4513, 4514, 4515 and 4516 in the various entries, in no particular order. I can find no information about these ports for UDP (for TCP they are apparently used by Microsoft Silverlight, which I do not have).
Any idea what was going on, and possible implications? What I find most curious is the reference to the static local ip of the other pc on my wireless network (198.x.x.x). I'm using Windows XP home, BTW. Thus far this appears to be an isolated incident, even though it happened 11 times within a 1-minute period, about four hous ago.
I know there are other posts about NIS blocking UPnP (Universal Plug 'n Play) discovery, but they don't quite address the specific log entries I saw tonight.
I had 11 consecutive NIS 2010 firewall log entries, all with the same time stamp, that said:
Rule "Default block UPnP Discovery" blocked (<ip=static local ip of the OTHER pc on my wireless network>, Port ssdp (1900) ).
Inbound UDP packet.
Local address, service is (255.255.255.255, Port ssdp(1900) )
Remote address, service is (<ip=static local ip of the OTHER pc on my wireless network>, Port (4516) ).
Note that:
1. I already had the UPnP service disabled (both pc's).
2. I do NOT have file or printer sharing enabled at all on my network.
3.The port for the remote address actually varied between 4513, 4514, 4515 and 4516 in the various entries, in no particular order. I can find no information about these ports for UDP (for TCP they are apparently used by Microsoft Silverlight, which I do not have).
Any idea what was going on, and possible implications? What I find most curious is the reference to the static local ip of the other pc on my wireless network (198.x.x.x). I'm using Windows XP home, BTW. Thus far this appears to be an isolated incident, even though it happened 11 times within a 1-minute period, about four hous ago.
This is definitely a UPnP shoutout from something on your network. The port range you mentioned is not officially assigned, so anything could be using those ports on your network. Since it originated on your local network I would not be too concerned about it. You might want to install something like TCPView, which is a small free program from Microsoft, that will list the processes on your machine that are in the act of communicating or listening for traffic. It would show you exactly what is communicating on port 4513 (or whatever) at the time that port is in use.
There is a good explanation of Port 1900 and UPnP at GRC.com that includes the following:
When UPnP devices wish to announce themselves, or "shout out" to find out what other UPnP devices are hanging around on the network, they issue a UDP message aimed at port 1900 of the special IP address [239.255.255.250]. This special "multicast" broadcast address has been set aside for UPnP devices and will be received by all of them listening on UDP port 1900.
Thanks for the ideas and suggestions, SendOfJive. It was actually a GRC writeup on UPnP that led me to disable that service several years ago, but I didn't recall the part you quoted. If it happens again I will try something like TCPView, as this still seems rather bizarre even if it's not terribly worrisome since it's on my own network.
Delphinium, in case you had some additional thoughts to pass along based on my responses: ZyXel X-550 NAT router, with NIS 2010 on both pc's.
I recently switched to a new router (Linksys WRT610N) and am seeing these same messages two, three, or even four times per minute in my NIS 2010 history. I guess they are not causing any problems except filling up the history list. I wonder if there is any way to turn it off in the router?
Edit -- Just to add some more info...this is only occurring on one of three machines on my home network -- the one running Vista Ultimate SP2. Two other machines running XP Pro SP3 do not show these entries in their NIS 2010 history lists.
The WRT610N uses UPnP for two functions: automatic router configuration and as a media server if you have a usb storage device connected. The first can be disabled in the Administrator > Management settings and the latter can be turned off under Storage > Media Server. Disabling both of these (assuming you are not using the router in its media server capacity) should quiet things down for you.
Since this thread was revived I thought I’d mention that in the three weeks since I originally posted I’ve had no more of the UPnP Discovery Blocked messages. So in my particular situation it seems to have been one of those fluky, probably-insignificant one-time events.
SendOfJive – Thanks for pointing me in the right direction – turning off UPnP configuration in Administrator > Management seems to have solved the issue. I did not have any media storage connected so UPnP was already turned off there. Strange that my previous router (WRT54GL) also allowed configuration through UPnP but I never saw these constant messages on my network – the WRT610N must have changed something in the way they handle UPnP. Anyway, it is good to know what was causing the messages. Thanks for the help.
You're welcome. It's always a good idea to turn off UPnP in your router as the feature allows any program on your PC to change port settings without notifying you. While this lets games and the like set your router so they work properly without you having to lift a finger, it also would allow anything malicious that happened to get onto your system to open ports behind your back.
Message Edited by SendOfJive on 12-21-2009 02:00 PM