-
October 14th, 2004, 07:40 PM
#1
outbound multicasts
i have some xp pro machines on my network that are giving me this:
Permitted: Out protocol [2], localhost->igmp.mcast.net [224.0.0.22], Owner: Tcpip Kernel Driver
Permitted: Out UDP, localhost:1090->239.255.255.250:1900, Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
on searching around for some info on it ive come accross a broad spectrum of answers
http://cert.uni-stuttgart.de/archive.../msg00068.html
this person seems to attribute it to microsoft calling home but this:
igmp broadcast to IGMP.MCAST.NET [x.x.x.x -> 224.0.0.22] (ttl = 1)
wont make it past a router
i was wondering if anyone here could shead some light on it. it doesn't seem to be anything to be concerned with but id like to understand whats going on
i know i could change to 'deny' but the purpose of these firewalls is just to send messages to a syslogd for my viewing pleasure and not controll traffic in any way
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
October 14th, 2004, 08:31 PM
#2
Hi
As for 224.0.0.22
Due to [1], as you already stated: 224.0.0.22 IGMP. So, what
you see is a request of some programm to create, join or leave
a host group - probably.
"IGMP is used by IP hosts to register their dynamic multicast
group membership. It is also used by connected routers to discover
these group members."[2]. And what for?
Multicasting ist good if all clients of that host group want the
identical data simultaneously eg distributed updates/patching,
streams (audio, video) etc.
Remark: Via internet it's not very practical, since every router or
switch between receiver and sender must be multicast-enabled.
So its (usually?) not routed outside (TTL 1). The corresponding RFC is 988[3]
(IP Multicasting) and 2236[4] (IGMP)
As for 239.255.255.250.
"The administratively scoped IPv4 multicast address space is defined
to be the range 239.0.0.0 to 239.255.255.255", see technical details
in [5]. Well, ...
In XP, Universal Plug and Play devices are looked for by the
SSDP discovery service using 239.255.255.250:1900.
If some device answers, the so called control
point (your service) learns about the device capabilities, like
its address and discovers the device itself (get URL for description), ...
Although I am not sure about all the points I have written, I think
it gives you an idea.
[1] http://www.iana.org/assignments/multicast-addresses
[2] http://www.networksorcery.com/enp/protocol/igmp.htm
[3] http://rfc.net/rfc988.html
[4] http://rfc.net/rfc2236.html
[5] http://rfc.net/rfc2365.html
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
October 18th, 2004, 10:09 AM
#3
Oliver's Law:
Experience is something you don't get until just after you need it.
-
October 18th, 2004, 02:31 PM
#4
You should be safe if you disallow multicast traffic from your network to the internet (but that's almost natural behavior of multicast traffic, given the low TTL values), and vica versa. While on it, disallow traffic from private address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from anywhere but your own network. You could also disallow 127.0.0.0/8 from anywhere but the local loopback interface.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|