Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSDP?

From: John Sage <jsage () finchhaven com>
Date: Thu, 11 Oct 2001 13:55:59 -0700
John:

See:

http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt

Excerpts:

<snip>

"Goland et al.                                                 [Page 3] 
INTERNET-DRAFT                 SSDP/V1               October 28, 1999


   A mechanism is needed to allow HTTP clients and HTTP resources to
   discover each other in local area networks. That is, a HTTP client
   may need a particular service that may be provided by one or more
   HTTP resources. The client needs a mechanism to find out which HTTP
   resources provide the service the client desires.

   For the purposes of this specification the previously mentioned HTTP
   client will be referred to as a SSDP client. The previous mentioned
   HTTP resource will be referred to as a SSDP service.

   In the simplest case this discovery mechanism needs to work without
   any configuration, management or administration. For example, if a
   user sets up a home network or a small company sets up a local area
   network they must not be required to configure SSDP before SSDP can
   be used to help them discover SSDP services in the form of Printers,
   Scanners, Fax Machines, etc.

<snip>

2.2.1.    Message Flow on the SSDP Multicast Channel

   The following is an overview of the messages used to implement SSDP.

   SSDP clients discover SSDP services using the reserved local
   administrative scope multicast address 239.255.255.250 over the SSDP
   port [NOT YET ALLOCATED BY IANA].

   For brevity's sake the SSDP reserved local administrative scope
   multicast address and port will be referred to as the SSDP multicast
   channel/Port.

   Discovery occurs when a SSDP client multicasts a HTTP UDP discovery
   request to the SSDP multicast channel/Port. SSDP services listen to
   the SSDP multicast channel/Port in order to hear such discovery
   requests. If a SSDP service hears a HTTP UDP discovery request that
   matches the service it offers then it will respond using a unicast
   HTTP UDP response.

   SSDP services may send HTTP UDP notification announcements to the
   SSDP multicast channel/port to announce their presence.

   Hence two types of SSDP requests will be sent across the SSDP
   multicast channel/port. The first are discovery requests, a SSDP
   client looking for SSDP services. The second are presence
   announcements, a SSDP service announcing its presence..."

<snip>



- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."



john.smith () minolta-qms com wrote:


All,

        Is the following the footprint of a trojan or virus?  Does anyone have any pointers to SSDP?

        Thanks everyone.

John

10/10-08:24:10.486051 xxx.xxx.xxx.xxx:4612 -> xxx.xxx.xxx.xxx:1900
UDP TTL:1 TOS:0x0 ID:26196 IpLen:20 DgmLen:118
Len: 98
4D 2D 53 45 41 52 43 48 20 2A 20 48 54 54 50 2F  M-SEARCH * HTTP/
31 2E 31 0D 0A 48 6F 73 74 3A 32 33 39 2E 32 35  1.1..Host:239.25
35 2E 32 35 35 2E 32 35 30 0D 0A 53 54 3A 75 70  5.255.250..ST:up
6E 70 3A 72 6F 6F 74 64 65 76 69 63 65 0D 0A 4D  np:rootdevice..M
61 6E 3A 73 73 64 70 3A 64 69 73 63 6F 76 65 72  an:ssdp:discover
0D 0A 4D 58 3A 33 0D 0A 0D 0A                    ..MX:3....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



<snip>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: