I noticed while reviewing my network traffic in Wireshark (analyzing packet headers studying for GIAC) I discovered my computer was connecting to a Microsoft domain with "ncsi" in it. Looked it up and is for a service called Network Connectivity Status Indicator. It pings Microsoft every so often to figure out if you are connected to the Internet or not. That's annoying useless traffic if you ask me, plus it's like big brother is watching. I figured out how to turn it off here:
http://www.itgeared.com/articles/1074-how-to-mange-network-connectivity/
It worked fine in Windows 7. In Windows 8 you get this screen that makes it look like it's not working when really it is - you connect to the Internet just fine but Microsoft reports that your wireless connection has "limited" connectivity.
When I turned this feature off it seems like my connection is faster. Not sure if just imagining. Didn't actually measure but really noticing a difference.
I also noticed this traffic was again on Edgecast CDN. As noted on Twitter (@teriradichel), Edgecast is a CDN therefore should be directing me to the nearest point to get the content which seems to be a point in Washington or Oregon. Instead they were sending HTTP traffic from my machine to Europe. That happened yesterday - didn't see that traffic today.
Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Monday, May 26, 2014
Sunday, May 25, 2014
UPnP - SSDP Protocol
Doing some protocol analysis for a security test and noticed a lot of SSDP traffic in Wireshark. Wondering what it was and the security implications so did some research.
This protocol is used for UPnP (universal plug n play) which allows you to easily connect devices on your network. In theory. It is an HTTP like protocol which works with NOTIFY and M-SEARCH methods and has destination multicast IP address 239.255.255.250.
It may be a good thing - helping you connect to your printer, TV, etc.
Unfortunately it also has a long history of security flaws and can be used to carry out DoS attacks. Some research below.
What it is:
http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol
Disable in Windows 7
http://en.kioskea.net/faq/20880-windows-7-disable-the-ssdp-discovery-service
US-CERT, National Vulnerability Database and Cisco report in January 2014 UDP-based amplification attacks may use SSDP as one of the protocols that facilitates Distributed Reflective Denial of Service (DRDoS) attacks:
http://www.us-cert.gov/ncas/alerts/TA14-017A
http://tools.cisco.com/security/center/viewAlert.x?alertId=28002
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5963
Denial of Service attack noted by FortiGuard:
http://www.fortiguard.com/encyclopedia/vulnerability/#id=38022
In a recent May 2014 post, CSO Online recommends disabling UPnP on home routers as part of secure configuration:
http://www.csoonline.com/article/2155342/data-protection/home-routers-broken-windows-to-the-world.html
Whitepaper from January 2013 discussing UPnP security flaws:
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
Another article on exposed devices from February 2014:
http://www.klocwork.com/blog/embedded-software/universal-plug-and-play-vulnerabilities-leave-millions-of-devices-exposed/
ThreatPost found 50 million potentially vulnerable machines responding to UPnP, exposing SOAP API that can allow access behind firewalls:
http://threatpost.com/50-million-potentially-vulnerable-upnp-flaws-012913/77465
A SANS report in 2002 discusses some UPnP flaws when it was released by Microsoft:
http://www.sans.org/security-resources/malwarefaq/win_upnp.php
Not completely disabled due to Windows Messenger Issue:
http://support.microsoft.com/kb/317843
Code - connecting to devices using SSPD
http://lewisbenge.azurewebsites.net/2012/11/13/device-discovery-ssdp-in-windows-8-and-winrt/
This protocol is used for UPnP (universal plug n play) which allows you to easily connect devices on your network. In theory. It is an HTTP like protocol which works with NOTIFY and M-SEARCH methods and has destination multicast IP address 239.255.255.250.
It may be a good thing - helping you connect to your printer, TV, etc.
Unfortunately it also has a long history of security flaws and can be used to carry out DoS attacks. Some research below.
What it is:
http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol
Disable in Windows 7
http://en.kioskea.net/faq/20880-windows-7-disable-the-ssdp-discovery-service
US-CERT, National Vulnerability Database and Cisco report in January 2014 UDP-based amplification attacks may use SSDP as one of the protocols that facilitates Distributed Reflective Denial of Service (DRDoS) attacks:
http://www.us-cert.gov/ncas/alerts/TA14-017A
http://tools.cisco.com/security/center/viewAlert.x?alertId=28002
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5963
Denial of Service attack noted by FortiGuard:
http://www.fortiguard.com/encyclopedia/vulnerability/#id=38022
In a recent May 2014 post, CSO Online recommends disabling UPnP on home routers as part of secure configuration:
http://www.csoonline.com/article/2155342/data-protection/home-routers-broken-windows-to-the-world.html
Whitepaper from January 2013 discussing UPnP security flaws:
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
Another article on exposed devices from February 2014:
http://www.klocwork.com/blog/embedded-software/universal-plug-and-play-vulnerabilities-leave-millions-of-devices-exposed/
ThreatPost found 50 million potentially vulnerable machines responding to UPnP, exposing SOAP API that can allow access behind firewalls:
http://threatpost.com/50-million-potentially-vulnerable-upnp-flaws-012913/77465
A SANS report in 2002 discusses some UPnP flaws when it was released by Microsoft:
http://www.sans.org/security-resources/malwarefaq/win_upnp.php
Not completely disabled due to Windows Messenger Issue:
http://support.microsoft.com/kb/317843
Code - connecting to devices using SSPD
http://lewisbenge.azurewebsites.net/2012/11/13/device-discovery-ssdp-in-windows-8-and-winrt/
Subscribe to:
Posts (Atom)