RE: MSN Messenger and UDP 1900

From: Dustin Miller (dustinat_private)
Date: Wed Feb 06 2002 - 08:21:33 PST

Next message: Thierry Zoller: "Re: Intel.com Mailing List Arbitrary Address Removal Link"

Previous message: Francisco Sáa Muñoz: "cachemgr.cgi (2.3STABLE4) (and 2)"
In reply to: Louie Martinez: "MSN Messenger and UDP 1900"
Next in thread: Valdis.Kletnieksat_private: "Re: MSN Messenger and UDP 1900"
Reply: Valdis.Kletnieksat_private: "Re: MSN Messenger and UDP 1900"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

MSN Messenger communicates using UPNP to try to auto-detect any
UPNP-compliant firewalls/routers you may have.  Ostensibly, NAT/Firewall
devices that support UPNP will allow file transfers, voice and audio
communications so MSN Messenger polls for them to autoconfigure itself
and the NAT/Firewall device to support these transfer types.

Dustin Miller, President
FuseWerx LTD
http://www.fusewerx.com/


-----Original Message-----
From: Louie Martinez [mailto:louieat_private] 
Sent: Tuesday, February 05, 2002 8:15 PM
To: bugtraqat_private
Subject: MSN Messenger and UDP 1900

I had noticed I had been getting these curious entries in my logfile on
my 
linux box which is set up as a firewall. (I use Shorewall to manage
IPTables)

Feb  5 17:37:07 firewall kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= 
MAC=00:a0:cc:3f:64:00:00:e0:7d:b8:78:72:08:00 SRC=192.
168.1.18 DST=192.168.1.1 LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=1638 
PROTO=UDP SPT=1148 DPT=1900 LEN=140
Feb  5 17:42:04 firewall kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= 
MAC=00:a0:cc:3f:64:00:00:02:e3:11:b7:cc:08:00 SRC=192.
168.1.4 DST=192.168.1.1 LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=5080 
PROTO=UDP SPT=1211 DPT=1900 LEN=140

These happen to be Windows XP machines. The curious part is that I have 
properly disabled UPnP and SSDP Discovery on both system.

With some investigating I managed to view the payload of the mysterious
UDP 
packet.

M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: "ssdp:discover"
MX: 3
ST: urn:schemas-upnp-org:service:WANIPConnection:1

Anyway after even further investigation it seems that these mysterious 
packets are only sent if MSN messenger is launched. You don't even have
to 
be logged into your MSN Messenger account. As long as it's sitting in
your 
system tray, these packets seem to be sent every 10 to 15 seconds on 
machines with active MSN accounts and every 5 minutes or so on machines 
that haven't set up an MSN Messenger acount but still leave it sitting
in 
the system tray.

If anyone else can confirm this or know why MSN wants to talk like a
UPnP 
device, I'd be appreciative to hear from you.

Next message: Thierry Zoller: "Re: Intel.com Mailing List Arbitrary Address Removal Link"
Previous message: Francisco Sáa Muñoz: "cachemgr.cgi (2.3STABLE4) (and 2)"
In reply to: Louie Martinez: "MSN Messenger and UDP 1900"
Next in thread: Valdis.Kletnieksat_private: "Re: MSN Messenger and UDP 1900"
Reply: Valdis.Kletnieksat_private: "Re: MSN Messenger and UDP 1900"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 22:15:37 PST