The Simple Service Discovery Protocol (SSDP) provides a mechanism where by network clients, with little or no static configuration, can discover network services. SSDP accomplishes this by providing for multicast discovery support as well as server based notification and discovery routing.
UPnP is a protocol that allows network devices to broadcast self-describing messages for peer-to-peer integration into a network. Two vulnerabilities are present in UPnP. A buffer overflow exists in the Windows XP implementation of the Simple Service Discovery Protocol (SSDP) component of UPnP. Another more generic Distributed Denial of Service (DDoS) or Denial of Service (DOS) risk exists within SSDP as well and affects multiple versions of the operating system.
A remotely exploitable buffer overflow exists in the UPnP service of Windows XP A malicious user can transmit a malformed NOTIFY request to a vulnerable machine and overflow an unchecked buffer in the UPnP service This service runs in the SYSTEM context under Windows XP and can result in a full system compromise, allowing the attacker to gain control of the affected machine.
A condition also exists in the implementation of SSDP that could lead to a DOS or DDoS attack by transmitting a malformed NOTIFY directive at a targeted machine or group of machines. The targets can be forced to endlessly transmit HTTP requests to a final target.
Internet firewalls should be configured to block ports 1900 and 5000.
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true. LRH
Thank you for da info! It was VERY informative. I have created a block all communication rule for UDP-TCP ports 1900 and 5000. I dunno if it is an attack or wat. Da connections have been blocked so far by my Block UPnP rule by my firewall (I dont have UPnP installed anyway, but you know). The connections come in 10 group bursts every three seconds for three attempts, then it waits for about 14 minutes, then trys again with dat same exact time configuration. Its weird. Da MOST weird thing is dat it sumhow is finding my computer threw my router. You would think dat it wouldnt be able to do that threw NAT? Unless Windows XP is sumhow forwarding dat port to my computer? I dunno. I dont have any active connections to anywhere, just internal stuff not connected to the Internet. I dunno. Think its a DOS attack??
[EDIT] Ok, just as I was sending this, I looked at my log again, and my new rule seemed to have worked, HOWEVER, this time it was blocking OUTBOUND UDP 1900 packets?!?! My "Default Block UPnP" rule dat came with da firewall was only for INBOUND connections, which it was blocking. Dat explains why it was getting threw my router. I just wanna know why its sending it, and by what? I did a trojan scan and there isnt anything on my computer. Antivirus came up negitive, there shouldnt be anything on my computer, any ideas???[/EDIT]