«
»

Damn Bill Gates! or: Universal Plug and Play Obnoxiousness

11/10/2003, 12:00 pm, General

I’ve been all nervous for the past several hours because I thought I had a Trojan horse that was busy offloading the contents of my computer to Kazaa or somesuch. It turns out that the recent firmware upgrade I did to my D-Link DI-624 wireless router gave it Plug and Play (UPnP) capability. It seems that someone thought it would be a good idea if every device on a network make a shout out to it’s homies every 20 friggin seconds. I was watching my network idiot-light and got really nervous seeing this regular, low-key traffic. Here’s what I found out about it:

  • D-Link made an announcement that they are working with Microsoft on making UPnP happen.
  • It looks like explorer.exe on my side is what answers the call from the router EVEN IF I HAVEN’T ENABLED UPnP ON MY XP BOX.
  • You can theoretically disable or enable UPnP at Control Panel | Add/Remove Programs | Add/Remove Windows Components | Networking Services | Universal Plug and Play. But it LIES. But When disabled, your machine still responds (or broadcasts… I’m not sure which b/c the sniffer software I got doesn’t seem to log all outgoing packets (NetworkActiv PIAFCTM 1.5))
  • One of the 10 or so packets in the bunch looks like this:

from:192.168.0.1 (router) to: 239.255.255.250, from port 1900 to port 1900, format:UDP:

HOST:239.255.255.250:1900
CACHE-CONTROL:max-age=120
LOCATION:http://192.168.0.1:5678/igd.xml
NT:upnp:rootdevice
NTS:ssdp:alive
SERVER:Embedded UPnP/1.0
USN:uuid:upnp-InternetGatewayDevice-1_0-12345678900001::upnp:rootdevice

  • The packets travel on port 1900. They are broadcast to IP address 239.255.255.250, which is intended to be a local broadcast
  • When enabled, my router shows up as a device in My Network Places. Big woop, the router told the client it’s IP address and what kind of box it is… That’s all.

  • I disabled “SSDP Discovery Service” and “Universal Plug and Play Device Host”. It didn’t stop the network traffic but made me feel better.

I found the most useful info about this at these sites:
http://www.pcplus.co.uk/media/pcplus/pdf/181/181.helpdesk.pdf
http://grc.com/

Leave a Comment

Do not write "http://" or "https://" in your comment, it will be blocked. It may take a few days for me to manually approve your first comment.