Made on IRCNow

Blame

Date:: Fri Dec 17 16:26:51 2021 UTC
Message:: Import sources
Actions:: History | Blob | Raw File
 1 5127fd58 2021-12-17 jrmu version=pmwiki-2.2.130 ordered=1 urlencoded=1
 2 5127fd58 2021-12-17 jrmu agent=Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
 3 5127fd58 2021-12-17 jrmu author=mkf
 4 5127fd58 2021-12-17 jrmu charset=UTF-8
 5 5127fd58 2021-12-17 jrmu csum=
 6 5127fd58 2021-12-17 jrmu ctime=1608087239
 7 5127fd58 2021-12-17 jrmu host=80.191.34.206
 8 5127fd58 2021-12-17 jrmu name=Openbsd.SSDP
 9 5127fd58 2021-12-17 jrmu rev=7
10 5127fd58 2021-12-17 jrmu targets=Openbsd.Tcpdump,Openbsd.Buyvm,Openbsd.Pf,Openbsd.Ddos
11 5127fd58 2021-12-17 jrmu text=(:title SSDP Attacks:)%0a%0a!! SSDP Attacks%0a%0aMany devices today use Universal Plug and Play (UPnP) in order to communicate. They use the Simple Service Discovery Protocol (SSDP) to tell other devices that they exist on the network. For example, a UPnP printer would broadcast all services it has to offer to all devices on the network. Attackers can spoof traffic to take advantage of these plug-and-play devices in an amplification attack. The attackers messages these UPnP devices using your IP address, and the devices reply with a message that is much larger than the original message. This amplifies the attack and floods your server with useless SSDP packets.%0a%0a!! Sample Pcap%0a%0aFollow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%0a[@%0a16:47:17.409684 192.168.0.1 > 198.251.81.119: icmp: 192.168.0.2 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)%0aE.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1%0aHost:239.255.255.250:1900%0aST:ssdp:all%0aMan:"ssdp:discover"%0aMX:3%0a@]%0a%0aIn the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%0aHere are some other packets:%0a%0a[@%0a16:47:17.411700 192.168.0.1 > 198.251.81.119: icmp: 172.16.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)%0aE..8....5..o..	n..Qw..;.....E..vtW....vq..Qw..	n...l.b..%0a16:47:17.411751 192.168.0.1 > 198.251.81.119: icmp: 10.0.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)%0aE..8....6.....3...Qw..'.....E..v*.........Qw..3....l.b..%0a16:47:17.411888 192.168.0.1.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)%0aE.....@.:..|H.....Qw..@.....HTTP/1.1 200 OK%0aCACHE-CONTROL: max-age=1800%0aDATE: Sat, 25 Jul 2020 00:47:17 GMT%0aEXT:%0aLOCATION: http://192.168.1.1:49152/IGDdevicedesc.xml%0aOPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01%0a01-NLS: d78a3592-1dd1-11b2-ae53-a94a2ae2af72%0aSERVER: Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.17%0aX-User-Agent: redsonic%0aST: urn:schemas-upnp-org:service:LANHostConfigManagement:1%0aUSN: uuid:ebf5a0a0-1dd1-11b2-a93f-94103e83c76b::urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a@]%0a%0aThis packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a%0a!! How to Block%0a%0aFirst, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are on [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%0aUsing the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%0a[@%0aext_ip="192.168.0.1"%0ablock drop quick proto udp from any to $ext_ip port 1900%0a@]%0a%0aA better solution is to block all udp packets except for a few ports that you whitelist:%0a%0a[@%0aext_ip="192.168.0.1"%0apass in quick proto udp to $ext_ip port {domain ntp}%0ablock drop quick proto udp to $ext_ip%0a@]%0a%0aThis would whitelist DNS and NTP packets but drop all other UDP packets.%0a%0a!! See Also%0a%0a[[openbsd/Ddos|DDoS Defense]]
12 5127fd58 2021-12-17 jrmu time=1622269081
13 5127fd58 2021-12-17 jrmu title=SSDP Attacks
14 5127fd58 2021-12-17 jrmu author:1622269081=mkf
15 5127fd58 2021-12-17 jrmu diff:1622269081:1608288048:minor=47c47%0a%3c First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are on [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a---%0a> First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a
16 5127fd58 2021-12-17 jrmu host:1622269081=80.191.34.206
17 5127fd58 2021-12-17 jrmu author:1608288048=jrmu
18 5127fd58 2021-12-17 jrmu diff:1608288048:1608112680:=61c61%0a%3c block drop quick proto udp to $ext_ip%0a---%0a> block drop quick proto udp to $ext_ip port 1900%0a
19 5127fd58 2021-12-17 jrmu host:1608288048=198.251.81.119
20 5127fd58 2021-12-17 jrmu author:1608112680=jrmu
21 5127fd58 2021-12-17 jrmu diff:1608112680:1608095837:=64,68c64%0a%3c This would whitelist DNS and NTP packets but drop all other UDP packets.%0a%3c %0a%3c !! See Also%0a%3c %0a%3c [[openbsd/Ddos|DDoS Defense]]%0a\ No newline at end of file%0a---%0a> This would whitelist DNS and NTP packets but drop all other UDP packets.%0a\ No newline at end of file%0a
22 5127fd58 2021-12-17 jrmu host:1608112680=198.251.81.119
23 5127fd58 2021-12-17 jrmu author:1608095837=jrmu
24 5127fd58 2021-12-17 jrmu diff:1608095837:1608088679:=54,64c54%0a%3c @]%0a%3c %0a%3c A better solution is to block all udp packets except for a few ports that you whitelist:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c pass in quick proto udp to $ext_ip port {domain ntp}%0a%3c block drop quick proto udp to $ext_ip port 1900%0a%3c @]%0a%3c %0a%3c This would whitelist DNS and NTP packets but drop all other UDP packets.%0a\ No newline at end of file%0a---%0a> @]%0a\ No newline at end of file%0a
25 5127fd58 2021-12-17 jrmu host:1608095837=198.251.81.119
26 5127fd58 2021-12-17 jrmu author:1608088679=jrmu
27 5127fd58 2021-12-17 jrmu diff:1608088679:1608087396:=9,10d8%0a%3c Follow the [[openbsd/tcpdump|tcpdump]] guide to record a pcap during an attack to analyze it.%0a%3c %0a12,13c10,11%0a%3c 16:47:17.409684 192.168.0.1 > 198.251.81.119: icmp: 192.168.0.2 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)%0a%3c E.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1%0a---%0a> 16:47:17.409625 106.182.147.148 > 198.251.81.119: icmp: 106.182.147.148 udp port 1900 unreachable [icmp cksum ok] (ttl 247, id 33870, len 146)%0a> E....N....(_j.....Qw..lE....E..vU.....]...Qwj......l.b..M-SEARCH * HTTP/1.1%0a18,25c16,293%0a%3c @]%0a%3c %0a%3c In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.%0a%3c %0a%3c Here are some other packets:%0a%3c %0a%3c [@%0a%3c 16:47:17.411700 192.168.0.1 > 198.251.81.119: icmp: 172.16.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)%0a---%0a> %0a> %0a> 16:47:17.409684 179.56.76.72 > 198.251.81.119: icmp: 179.56.76.72 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)%0a> E.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.409773 86.47.127.77.1027 > 198.251.81.119.16546: [udp sum ok] udp 250 (DF) (ttl 55, id 0, len 278)%0a> E.....@.7.T.V/.M..Qw..@....aHTTP/1.1 200 OK%0a> ST:upnp:rootdevice%0a> USN:uuid:11111111-0000-c0a8-01fe-60319731f320::upnp:rootdevice%0a> Location:http://192.168.1.254:5555/DeviceDescription.xml%0a> Cache-Control:max-age=900%0a> Server:Allegro-Software-RomUpnp/4.07 UPnP/1.0 IGD/1.00%0a> Ext:%0a> %0a> %0a> 16:47:17.409794 58.40.78.34 > 198.251.81.119: icmp: 58.40.78.34 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 12306, len 146)%0a> E...0...5...:(N"..Qw...2....E .v......S...Qw:(N"@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.409808 201.220.105.102 > 198.251.81.119: icmp: 201.220.105.102 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 54, id 13203, len 146)%0a> E...3...6..[..if..Qw..gP....E(.v%0a> .....s...Qw..if...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410013 106.182.104.110 > 198.251.81.119: icmp: 106.182.104.110 udp port 1900 unreachable [icmp cksum ok] (ttl 56, id 32493, len 146)%0a> E...~...8...j.hn..Qw...2....E..v.2........Qwj.hn@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410155 201.221.194.96 > 198.251.81.119: icmp: 201.221.194.96 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 54, id 56786, len 146)%0a> E.......6.. ...`..Qw..gP....E(.v......~...Qw...`...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410176 41.34.136.18 > 198.251.81.119: icmp: 41.34.136.18 udp port 1900 unreachable [icmp cksum ok] [tos 0xe0] (ttl 49, id 53678, len 146)%0a> E.......1..5)"....Qw..gP....E..vdy.....V..Qw)".....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410190 60.253.21.5 > 198.251.81.119: icmp: 60.253.21.5 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 16826, len 146)%0a> E...A...7..|%3c.....Qw...2....E..v.......h..Qw%3c...@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410392 203.122.18.236 > 198.251.81.119: icmp: 203.122.18.236 udp port 1900 unreachable [icmp cksum ok] [tos 0x28] (ttl 53, id 5978, len 146)%0a> E(...Z..5.w..z....Qw..gP....E..v.J....FK..Qw.z.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410401 220.173.24.88 > 198.251.81.119: icmp: 220.173.24.88 udp port 1900 unreachable [icmp cksum ok] (ttl 52, id 32820, len 146)%0a> E....4..4......X..Qw..gP....E..v......&%0a> ..Qw...X...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410413 133.160.134.170 > 198.251.81.119: icmp: host 220.209.245.212 unreachable [icmp cksum ok] (ttl 244, id 42776, len 56)%0a> E..8..............Qw..'.....E..vQ.........Qw.......l.b..%0a> 16:47:17.410446 60.175.86.232 > 198.251.81.119: icmp: 60.175.86.232 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 15062, len 146)%0a> E...:...4...%3c.V...Qw...2....E..v.(.....D..Qw%3c.V.@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410458 61.190.175.43 > 198.251.81.119: icmp: 61.190.175.43 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 34017, len 146)%0a> E.......4..m=..+..Qw...2....E..v.3........Qw=..+@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410465 117.81.252.85 > 198.251.81.119: icmp: 117.81.252.85 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 3681, len 146)%0a> E....a..4..0uQ.U..Qw........E..ve......i..QwuQ.U...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410529 106.148.232.68 > 198.251.81.119: icmp: 106.148.232.68 udp port 1900 unreachable [icmp cksum ok] (ttl 120, id 440, len 146)%0a> E.......x..gj..D..Qw...2....E..v.s....Y...Qwj..D@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410562 190.79.221.241 > 198.251.81.119: icmp: 190.79.221.241 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 59106, len 146)%0a> E.......5....O....Qw...%0a> ....E..v......v...Qw.O.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410878 201.209.169.91 > 198.251.81.119: icmp: 201.209.169.91 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 56912, len 146)%0a> E....P..5......[..Qw..z.....E..vO......U..Qw...[...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410888 115.49.100.42 > 198.251.81.119: icmp: 115.49.100.42 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 51, id 5788, len 146)%0a> E.......3..As1d*..Qw........E..v......7...Qws1d*...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410894 109.110.193.128 > 198.251.81.119: icmp: 109.110.193.128 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 57, id 48934, len 146)%0a> E....&..9.z#mn....Qw........E..v......./..Qwmn.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410908 60.170.125.86 > 198.251.81.119: icmp: 60.170.125.86 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 54754, len 146)%0a> E.......4..U%3c.}V..Qw...2....E..vb......m..Qw%3c.}V@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.410915 212.111.23.151 > 198.251.81.119: icmp: 212.111.23.151 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 58, id 23469, len 146)%0a> E...[...:....o....Qw...2....E..v&V........Qw.o..@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411057 46.98.236.195 > 198.251.81.119: icmp: 46.98.236.195 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 57, id 43472, len 146)%0a> E.......9..B.b....Qw..lE....E..v.......L..Qw.b.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411064 119.104.193.235 > 198.251.81.119: icmp: 119.104.193.235 udp port 1900 unreachable [icmp cksum ok] (ttl 116, id 643, len 146)%0a> E.......t..!wh....Qw........E..vF.....4...Qwwh.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411133 101.108.127.208 > 198.251.81.119: icmp: 101.108.127.208 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 25642, len 146)%0a> E...d*..5.".el....Qw..lE....E..v.4........Qwel.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411140 5.103.26.62 > 198.251.81.119: icmp: 5.103.26.62 udp port 1900 unreachable [icmp cksum ok] (ttl 51, id 46197, len 146)%0a> E....u..3....g.>..Qw..gP....E..v..........Qw.g.>...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411280 101.109.161.191 > 198.251.81.119: icmp: 101.109.161.191 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 54, id 1901, len 146)%0a> E....m..6.\.em....Qw..lE....E..v.n.....h..Qwem.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411287 190.57.194.163 > 198.251.81.119: icmp: 190.57.194.163 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 58, id 43550, len 146)%0a> E.......:.%3c=.9....Qw...%0a> ....E..v.5........Qw.9.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411294 199.38.86.127 > 198.251.81.119: icmp: 199.38.86.127 udp port 3283 unreachable [icmp cksum ok] (ttl 53, id 64226, len 56)%0a> E..8....5.T..&V...Qw...q....E..!.*....t...Qw.&V......%0a> ..%0a> 16:47:17.411391 60.173.185.36 > 198.251.81.119: icmp: 60.173.185.36 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 40666, len 146)%0a> E.......4...%3c..$..Qw...2....E..vg.....R...Qw%3c..$@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411398 190.79.217.30 > 198.251.81.119: icmp: 190.79.217.30 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 28031, len 146)%0a> E...m...5.gK.O....Qw..z.....E..v@B.....S..Qw.O.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411491 116.229.120.85 > 198.251.81.119: icmp: 116.229.120.85 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 54567, len 146)%0a> E....'..5...t.xU..Qw........E..v.j.....^..Qwt.xU...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411547 201.208.200.92 > 198.251.81.119: icmp: 201.208.200.92 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 17814, len 146)%0a> E...E...5..u...\..Qw..z.....E..v.e....eq..Qw...\...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411554 223.241.109.188 > 198.251.81.119: icmp: 223.241.109.188 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 26427, len 146)%0a> E...g;..4..O..m...Qw..gP....E..v..........Qw..m....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411617 47.216.148.57 > 198.251.81.119: icmp: 47.216.148.57 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 56, id 58965, len 146)%0a> E....U..8.../..9..Qw..lE....E..v.......j..Qw/..9...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411681 115.151.100.136 > 198.251.81.119: icmp: 115.151.100.136 udp port 1900 unreachable [icmp cksum ok] (ttl 52, id 18376, len 146)%0a> E...G...4.N.s.d...Qw........E..v.......?..Qws.d....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.411700 190.205.9.110 > 198.251.81.119: icmp: 190.205.9.110 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)%0a27c295%0a%3c 16:47:17.411751 192.168.0.1 > 198.251.81.119: icmp: 10.0.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)%0a---%0a> 16:47:17.411751 202.213.51.174 > 198.251.81.119: icmp: 202.213.51.174 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)%0a29c297%0a%3c 16:47:17.411888 192.168.0.1.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)%0a---%0a> 16:47:17.411888 72.235.245.4.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)%0a40a309,517%0a> %0a> %0a> 16:47:17.411896 201.242.106.21 > 198.251.81.119: icmp: 201.242.106.21 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 15020, len 146)%0a> E...:...5.....j...Qw..z.....E..v'.....VW..Qw..j....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412024 190.37.246.60 > 198.251.81.119: icmp: 190.37.246.60 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 53, id 55811, len 146)%0a> E.......5....%25.%3c..Qw..gP....E(.v......N...Qw.%25.%3c...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412070 60.178.248.153 > 198.251.81.119: icmp: 60.178.248.153 udp port 1900 unreachable [icmp cksum ok] (ttl 52, id 839, len 146)%0a> E....G..4.5f%3c.....Qw...2....E..v).....Q7..Qw%3c...@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412236 46.176.61.166 > 198.251.81.119: icmp: host 46.176.61.166 unreachable [icmp cksum ok] (ttl 56, id 33848, len 146)%0a> E....8..8.yj..=...Qw...4....E..v.J.....c..Qw..=.@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412268 46.98.2.173 > 198.251.81.119: icmp: 46.98.2.173 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 57, id 10567, len 146)%0a> E...)G..9.%0a> ..b....Qw..lE....E..v.~.....v..Qw.b.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412277 36.11.66.242 > 198.251.81.119: icmp: 36.11.66.242 udp port 1900 unreachable [icmp cksum ok] (ttl 56, id 31764, len 146)%0a> E...|...8...$.B...Qw..gP....E..v.......k..Qw$.B....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412291 5.76.195.122 > 198.251.81.119: icmp: 5.76.195.122 udp port 1900 unreachable [icmp cksum ok] [tos 0x20] (ttl 56, id 24132, len 146)%0a> E ..^D..8.B..L.z..Qw...2....E..v.......w..Qw.L.z@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412298 117.70.61.191 > 198.251.81.119: icmp: 117.70.61.191 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 31279, len 146)%0a> E...z/..4.@.uF=...Qw........E..v.5....'...QwuF=....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412377 190.206.83.113 > 198.251.81.119: icmp: 190.206.83.113 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 244, id 44160, len 146)%0a> E..........w..Sq..Qw..z.....E..vu%0a> ....+...Qw..Sq...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412393 175.38.60.86.56278 > 198.251.81.119.51343: [udp sum ok] udp 244 (DF) (ttl 55, id 54854, len 272)%0a> E....F@.7.h..&%3cV..Qw........HTTP/1.1 200 OK%0a> Location: http://192.168.0.6:1784/%0a> Cache-Control: max-age=1800%0a> Server: WebOS/4.1.0 UPnP/1.0%0a> EXT: %0a> USN: uuid:d4804a8c-4e4c-d395-9449-a9a7c29f068c::upnp:rootdevice%0a> ST: upnp:rootdevice%0a> Date: Sat, 25 Jul 2020 00:47:16 GMT%0a> %0a> %0a> 16:47:17.412406 201.242.161.246 > 198.251.81.119: icmp: 201.242.161.246 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 14463, len 146)%0a> E...8...5.........Qw..gP....E..vr`........Qw.......l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412515 197.48.80.219 > 198.251.81.119: icmp: 197.48.80.219 udp port 1900 unreachable [icmp cksum ok] [tos 0x28] (ttl 51, id 13330, len 56)%0a> E(.84...3.%25%0a> .0P...Qw..;.....E..v.d........Qw.0P....l.b..%0a> 16:47:17.412522 200.109.149.177 > 198.251.81.119: icmp: 200.109.149.177 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 43108, len 146)%0a> E....d..4.f..m....Qw..z.....E..v.......X..Qw.m.....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412529 60.174.37.182 > 198.251.81.119: icmp: 60.174.37.182 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 44813, len 146)%0a> E....%0a> ..4.[.%3c.%25...Qw...2....E..v..........Qw%3c.%25.@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412692 190.205.75.123 > 198.251.81.119: icmp: 190.205.75.123 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 53, id 22111, len 146)%0a> E...V_..5.....K{..Qw..z.....E(.vh.....%3c...Qw..K{...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412698 96.71.117.134.53722 > 198.251.81.119.20571: [udp sum ok] udp 174 (ttl 117, id 60578, len 202)%0a> E.......u.j@`Gu...Qw..P[..E.......%0a> %3cR.{..%0a> .%0a> ....%3cR.{..%0a> ..J..X...BodyShop...UniFi Video................$NVR.x86_64.3.10.8.73f13d.190919.0918%0a> .%3c788a2047fc430000000002d409b70000000002f0149e000000005a0e3b0d%0a> 16:47:17.412749 36.40.114.60 > 198.251.81.119: icmp: 36.40.114.60 udp port 1900 unreachable [icmp cksum ok] (ttl 52, id 35452, len 146)%0a> E....|..4.M.$(r%3c..Qw..gP....E..vc5.....j..Qw$(r%3c...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412795 58.40.134.22 > 198.251.81.119: icmp: 58.40.134.22 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 16882, len 146)%0a> E...A...5.j.:(....Qw...2....E .v......#...Qw:(..@..l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412916 175.38.60.86.56278 > 198.251.81.119.51343: [udp sum ok] udp 253 (DF) (ttl 55, id 54857, len 281)%0a> E....I@.7.h..&%3cV..Qw.......THTTP/1.1 200 OK%0a> Location: http://192.168.0.6:1784/%0a> Cache-Control: max-age=1800%0a> Server: WebOS/4.1.0 UPnP/1.0%0a> EXT: %0a> USN: uuid:d4804a8c-4e4c-d395-9449-a9a7c29f068c%0a> ST: uuid:d4804a8c-4e4c-d395-9449-a9a7c29f068c%0a> Date: Sat, 25 Jul 2020 00:47:16 GMT%0a> %0a> %0a> 16:47:17.412939 175.38.60.86.35166 > 198.251.81.119.51343: [udp sum ok] udp 254 (DF) (ttl 55, id 54855, len 282)%0a> E....G@.7.h..&%3cV..Qw.^.....CHTTP/1.1 200 OK%0a> Location: http://192.168.0.6:1198/%0a> Cache-Control: max-age=1800%0a> Server: WebOS/1.5 UPnP/1.0 webOSTV/1.0%0a> EXT: %0a> USN: uuid:a07c4f49-c398-4af6-ae82-8a238832609f::upnp:rootdevice%0a> ST: upnp:rootdevice%0a> Date: Sat, 25 Jul 2020 00:47:16 GMT%0a> %0a> %0a> 16:47:17.412947 175.38.60.86.35166 > 198.251.81.119.51343: [udp sum ok] udp 263 (DF) (ttl 55, id 54856, len 291)%0a> E..#.H@.7.h..&%3cV..Qw.^....98HTTP/1.1 200 OK%0a> Location: http://192.168.0.6:1198/%0a> Cache-Control: max-age=1800%0a> Server: WebOS/1.5 UPnP/1.0 webOSTV/1.0%0a> EXT: %0a> USN: uuid:a07c4f49-c398-4af6-ae82-8a238832609f%0a> ST: uuid:a07c4f49-c398-4af6-ae82-8a238832609f%0a> Date: Sat, 25 Jul 2020 00:47:16 GMT%0a> %0a> %0a> 16:47:17.412953 220.180.203.103 > 198.251.81.119: icmp: 220.180.203.103 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 29236, len 146)%0a> E...r4..4.R....g..Qw..gP....E..v!......)..Qw...g...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412960 190.39.49.229 > 198.251.81.119: icmp: 190.39.49.229 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 53, id 60367, len 146)%0a> E.......5..T.'1...Qw..z.....E(.v.P....9...Qw.'1....l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412987 222.72.109.78 > 198.251.81.119: icmp: 222.72.109.78 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 62228, len 146)%0a> E.......5.-..HmN..Qw..gP....E .v!.....CX..Qw.HmN...l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a> %0a> %0a> 16:47:17.412999 117.247.154.139 > 198.251.81.119: icmp: 117.247.154.139 udp port 1900 unreachable [icmp cksum ok] (ttl 50, id 863, len 146)%0a> E...._..2.\.u.....Qw..lE....E..v.......k..Qwu......l.b..M-SEARCH * HTTP/1.1%0a> Host:239.255.255.250:1900%0a> ST:ssdp:all%0a> Man:"ssdp:discover"%0a> MX:3%0a42,43d518%0a%3c %0a%3c This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...%0a
28 5127fd58 2021-12-17 jrmu host:1608088679=198.251.81.119
29 5127fd58 2021-12-17 jrmu author:1608087396=jrmu
30 5127fd58 2021-12-17 jrmu diff:1608087396:1608087239:=4a5,9%0a> %0a> SSDP packets Your server is flooded with packets from Universal Plug and Play (UPnP) devices%0a> %0a> !! Sample Pcap%0a> %0a6,518d10%0a%3c %0a%3c !! Sample Pcap%0a%3c %0a%3c [@%0a%3c 16:47:17.409625 106.182.147.148 > 198.251.81.119: icmp: 106.182.147.148 udp port 1900 unreachable [icmp cksum ok] (ttl 247, id 33870, len 146)%0a%3c E....N....(_j.....Qw..lE....E..vU.....]...Qwj......l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.409684 179.56.76.72 > 198.251.81.119: icmp: 179.56.76.72 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)%0a%3c E.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.409773 86.47.127.77.1027 > 198.251.81.119.16546: [udp sum ok] udp 250 (DF) (ttl 55, id 0, len 278)%0a%3c E.....@.7.T.V/.M..Qw..@....aHTTP/1.1 200 OK%0a%3c ST:upnp:rootdevice%0a%3c USN:uuid:11111111-0000-c0a8-01fe-60319731f320::upnp:rootdevice%0a%3c Location:http://192.168.1.254:5555/DeviceDescription.xml%0a%3c Cache-Control:max-age=900%0a%3c Server:Allegro-Software-RomUpnp/4.07 UPnP/1.0 IGD/1.00%0a%3c Ext:%0a%3c %0a%3c %0a%3c 16:47:17.409794 58.40.78.34 > 198.251.81.119: icmp: 58.40.78.34 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 12306, len 146)%0a%3c E...0...5...:(N"..Qw...2....E .v......S...Qw:(N"@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.409808 201.220.105.102 > 198.251.81.119: icmp: 201.220.105.102 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 54, id 13203, len 146)%0a%3c E...3...6..[..if..Qw..gP....E(.v%0a%3c .....s...Qw..if...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410013 106.182.104.110 > 198.251.81.119: icmp: 106.182.104.110 udp port 1900 unreachable [icmp cksum ok] (ttl 56, id 32493, len 146)%0a%3c E...~...8...j.hn..Qw...2....E..v.2........Qwj.hn@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410155 201.221.194.96 > 198.251.81.119: icmp: 201.221.194.96 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 54, id 56786, len 146)%0a%3c E.......6.. ...`..Qw..gP....E(.v......~...Qw...`...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410176 41.34.136.18 > 198.251.81.119: icmp: 41.34.136.18 udp port 1900 unreachable [icmp cksum ok] [tos 0xe0] (ttl 49, id 53678, len 146)%0a%3c E.......1..5)"....Qw..gP....E..vdy.....V..Qw)".....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410190 60.253.21.5 > 198.251.81.119: icmp: 60.253.21.5 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 16826, len 146)%0a%3c E...A...7..|%3c.....Qw...2....E..v.......h..Qw%3c...@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410392 203.122.18.236 > 198.251.81.119: icmp: 203.122.18.236 udp port 1900 unreachable [icmp cksum ok] [tos 0x28] (ttl 53, id 5978, len 146)%0a%3c E(...Z..5.w..z....Qw..gP....E..v.J....FK..Qw.z.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410401 220.173.24.88 > 198.251.81.119: icmp: 220.173.24.88 udp port 1900 unreachable [icmp cksum ok] (ttl 52, id 32820, len 146)%0a%3c E....4..4......X..Qw..gP....E..v......&%0a%3c ..Qw...X...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410413 133.160.134.170 > 198.251.81.119: icmp: host 220.209.245.212 unreachable [icmp cksum ok] (ttl 244, id 42776, len 56)%0a%3c E..8..............Qw..'.....E..vQ.........Qw.......l.b..%0a%3c 16:47:17.410446 60.175.86.232 > 198.251.81.119: icmp: 60.175.86.232 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 15062, len 146)%0a%3c E...:...4...%3c.V...Qw...2....E..v.(.....D..Qw%3c.V.@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410458 61.190.175.43 > 198.251.81.119: icmp: 61.190.175.43 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 34017, len 146)%0a%3c E.......4..m=..+..Qw...2....E..v.3........Qw=..+@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410465 117.81.252.85 > 198.251.81.119: icmp: 117.81.252.85 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 3681, len 146)%0a%3c E....a..4..0uQ.U..Qw........E..ve......i..QwuQ.U...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410529 106.148.232.68 > 198.251.81.119: icmp: 106.148.232.68 udp port 1900 unreachable [icmp cksum ok] (ttl 120, id 440, len 146)%0a%3c E.......x..gj..D..Qw...2....E..v.s....Y...Qwj..D@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410562 190.79.221.241 > 198.251.81.119: icmp: 190.79.221.241 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 59106, len 146)%0a%3c E.......5....O....Qw...%0a%3c ....E..v......v...Qw.O.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410878 201.209.169.91 > 198.251.81.119: icmp: 201.209.169.91 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 56912, len 146)%0a%3c E....P..5......[..Qw..z.....E..vO......U..Qw...[...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410888 115.49.100.42 > 198.251.81.119: icmp: 115.49.100.42 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 51, id 5788, len 146)%0a%3c E.......3..As1d*..Qw........E..v......7...Qws1d*...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410894 109.110.193.128 > 198.251.81.119: icmp: 109.110.193.128 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 57, id 48934, len 146)%0a%3c E....&..9.z#mn....Qw........E..v......./..Qwmn.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410908 60.170.125.86 > 198.251.81.119: icmp: 60.170.125.86 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 54754, len 146)%0a%3c E.......4..U%3c.}V..Qw...2....E..vb......m..Qw%3c.}V@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.410915 212.111.23.151 > 198.251.81.119: icmp: 212.111.23.151 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 58, id 23469, len 146)%0a%3c E...[...:....o....Qw...2....E..v&V........Qw.o..@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411057 46.98.236.195 > 198.251.81.119: icmp: 46.98.236.195 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 57, id 43472, len 146)%0a%3c E.......9..B.b....Qw..lE....E..v.......L..Qw.b.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411064 119.104.193.235 > 198.251.81.119: icmp: 119.104.193.235 udp port 1900 unreachable [icmp cksum ok] (ttl 116, id 643, len 146)%0a%3c E.......t..!wh....Qw........E..vF.....4...Qwwh.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411133 101.108.127.208 > 198.251.81.119: icmp: 101.108.127.208 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 25642, len 146)%0a%3c E...d*..5.".el....Qw..lE....E..v.4........Qwel.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411140 5.103.26.62 > 198.251.81.119: icmp: 5.103.26.62 udp port 1900 unreachable [icmp cksum ok] (ttl 51, id 46197, len 146)%0a%3c E....u..3....g.>..Qw..gP....E..v..........Qw.g.>...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411280 101.109.161.191 > 198.251.81.119: icmp: 101.109.161.191 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 54, id 1901, len 146)%0a%3c E....m..6.\.em....Qw..lE....E..v.n.....h..Qwem.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411287 190.57.194.163 > 198.251.81.119: icmp: 190.57.194.163 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 58, id 43550, len 146)%0a%3c E.......:.%3c=.9....Qw...%0a%3c ....E..v.5........Qw.9.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411294 199.38.86.127 > 198.251.81.119: icmp: 199.38.86.127 udp port 3283 unreachable [icmp cksum ok] (ttl 53, id 64226, len 56)%0a%3c E..8....5.T..&V...Qw...q....E..!.*....t...Qw.&V......%0a%3c ..%0a%3c 16:47:17.411391 60.173.185.36 > 198.251.81.119: icmp: 60.173.185.36 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 40666, len 146)%0a%3c E.......4...%3c..$..Qw...2....E..vg.....R...Qw%3c..$@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411398 190.79.217.30 > 198.251.81.119: icmp: 190.79.217.30 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 28031, len 146)%0a%3c E...m...5.gK.O....Qw..z.....E..v@B.....S..Qw.O.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411491 116.229.120.85 > 198.251.81.119: icmp: 116.229.120.85 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 54567, len 146)%0a%3c E....'..5...t.xU..Qw........E..v.j.....^..Qwt.xU...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411547 201.208.200.92 > 198.251.81.119: icmp: 201.208.200.92 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 17814, len 146)%0a%3c E...E...5..u...\..Qw..z.....E..v.e....eq..Qw...\...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411554 223.241.109.188 > 198.251.81.119: icmp: 223.241.109.188 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 26427, len 146)%0a%3c E...g;..4..O..m...Qw..gP....E..v..........Qw..m....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411617 47.216.148.57 > 198.251.81.119: icmp: 47.216.148.57 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 56, id 58965, len 146)%0a%3c E....U..8.../..9..Qw..lE....E..v.......j..Qw/..9...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411681 115.151.100.136 > 198.251.81.119: icmp: 115.151.100.136 udp port 1900 unreachable [icmp cksum ok] (ttl 52, id 18376, len 146)%0a%3c E...G...4.N.s.d...Qw........E..v.......?..Qws.d....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.411700 190.205.9.110 > 198.251.81.119: icmp: 190.205.9.110 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)%0a%3c E..8....5..o..	n..Qw..;.....E..vtW....vq..Qw..	n...l.b..%0a%3c 16:47:17.411751 202.213.51.174 > 198.251.81.119: icmp: 202.213.51.174 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)%0a%3c E..8....6.....3...Qw..'.....E..v*.........Qw..3....l.b..%0a%3c 16:47:17.411888 72.235.245.4.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)%0a%3c E.....@.:..|H.....Qw..@.....HTTP/1.1 200 OK%0a%3c CACHE-CONTROL: max-age=1800%0a%3c DATE: Sat, 25 Jul 2020 00:47:17 GMT%0a%3c EXT:%0a%3c LOCATION: http://192.168.1.1:49152/IGDdevicedesc.xml%0a%3c OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01%0a%3c 01-NLS: d78a3592-1dd1-11b2-ae53-a94a2ae2af72%0a%3c SERVER: Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.17%0a%3c X-User-Agent: redsonic%0a%3c ST: urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a%3c USN: uuid:ebf5a0a0-1dd1-11b2-a93f-94103e83c76b::urn:schemas-upnp-org:service:LANHostConfigManagement:1%0a%3c %0a%3c %0a%3c 16:47:17.411896 201.242.106.21 > 198.251.81.119: icmp: 201.242.106.21 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 15020, len 146)%0a%3c E...:...5.....j...Qw..z.....E..v'.....VW..Qw..j....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412024 190.37.246.60 > 198.251.81.119: icmp: 190.37.246.60 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 53, id 55811, len 146)%0a%3c E.......5....%25.%3c..Qw..gP....E(.v......N...Qw.%25.%3c...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412070 60.178.248.153 > 198.251.81.119: icmp: 60.178.248.153 udp port 1900 unreachable [icmp cksum ok] (ttl 52, id 839, len 146)%0a%3c E....G..4.5f%3c.....Qw...2....E..v).....Q7..Qw%3c...@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412236 46.176.61.166 > 198.251.81.119: icmp: host 46.176.61.166 unreachable [icmp cksum ok] (ttl 56, id 33848, len 146)%0a%3c E....8..8.yj..=...Qw...4....E..v.J.....c..Qw..=.@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412268 46.98.2.173 > 198.251.81.119: icmp: 46.98.2.173 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 57, id 10567, len 146)%0a%3c E...)G..9.%0a%3c ..b....Qw..lE....E..v.~.....v..Qw.b.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412277 36.11.66.242 > 198.251.81.119: icmp: 36.11.66.242 udp port 1900 unreachable [icmp cksum ok] (ttl 56, id 31764, len 146)%0a%3c E...|...8...$.B...Qw..gP....E..v.......k..Qw$.B....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412291 5.76.195.122 > 198.251.81.119: icmp: 5.76.195.122 udp port 1900 unreachable [icmp cksum ok] [tos 0x20] (ttl 56, id 24132, len 146)%0a%3c E ..^D..8.B..L.z..Qw...2....E..v.......w..Qw.L.z@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412298 117.70.61.191 > 198.251.81.119: icmp: 117.70.61.191 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 31279, len 146)%0a%3c E...z/..4.@.uF=...Qw........E..v.5....'...QwuF=....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412377 190.206.83.113 > 198.251.81.119: icmp: 190.206.83.113 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 244, id 44160, len 146)%0a%3c E..........w..Sq..Qw..z.....E..vu%0a%3c ....+...Qw..Sq...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412393 175.38.60.86.56278 > 198.251.81.119.51343: [udp sum ok] udp 244 (DF) (ttl 55, id 54854, len 272)%0a%3c E....F@.7.h..&%3cV..Qw........HTTP/1.1 200 OK%0a%3c Location: http://192.168.0.6:1784/%0a%3c Cache-Control: max-age=1800%0a%3c Server: WebOS/4.1.0 UPnP/1.0%0a%3c EXT: %0a%3c USN: uuid:d4804a8c-4e4c-d395-9449-a9a7c29f068c::upnp:rootdevice%0a%3c ST: upnp:rootdevice%0a%3c Date: Sat, 25 Jul 2020 00:47:16 GMT%0a%3c %0a%3c %0a%3c 16:47:17.412406 201.242.161.246 > 198.251.81.119: icmp: 201.242.161.246 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 14463, len 146)%0a%3c E...8...5.........Qw..gP....E..vr`........Qw.......l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412515 197.48.80.219 > 198.251.81.119: icmp: 197.48.80.219 udp port 1900 unreachable [icmp cksum ok] [tos 0x28] (ttl 51, id 13330, len 56)%0a%3c E(.84...3.%25%0a%3c .0P...Qw..;.....E..v.d........Qw.0P....l.b..%0a%3c 16:47:17.412522 200.109.149.177 > 198.251.81.119: icmp: 200.109.149.177 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 43108, len 146)%0a%3c E....d..4.f..m....Qw..z.....E..v.......X..Qw.m.....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412529 60.174.37.182 > 198.251.81.119: icmp: 60.174.37.182 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 44813, len 146)%0a%3c E....%0a%3c ..4.[.%3c.%25...Qw...2....E..v..........Qw%3c.%25.@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412692 190.205.75.123 > 198.251.81.119: icmp: 190.205.75.123 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 53, id 22111, len 146)%0a%3c E...V_..5.....K{..Qw..z.....E(.vh.....%3c...Qw..K{...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412698 96.71.117.134.53722 > 198.251.81.119.20571: [udp sum ok] udp 174 (ttl 117, id 60578, len 202)%0a%3c E.......u.j@`Gu...Qw..P[..E.......%0a%3c %3cR.{..%0a%3c .%0a%3c ....%3cR.{..%0a%3c ..J..X...BodyShop...UniFi Video................$NVR.x86_64.3.10.8.73f13d.190919.0918%0a%3c .%3c788a2047fc430000000002d409b70000000002f0149e000000005a0e3b0d%0a%3c 16:47:17.412749 36.40.114.60 > 198.251.81.119: icmp: 36.40.114.60 udp port 1900 unreachable [icmp cksum ok] (ttl 52, id 35452, len 146)%0a%3c E....|..4.M.$(r%3c..Qw..gP....E..vc5.....j..Qw$(r%3c...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412795 58.40.134.22 > 198.251.81.119: icmp: 58.40.134.22 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 16882, len 146)%0a%3c E...A...5.j.:(....Qw...2....E .v......#...Qw:(..@..l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412916 175.38.60.86.56278 > 198.251.81.119.51343: [udp sum ok] udp 253 (DF) (ttl 55, id 54857, len 281)%0a%3c E....I@.7.h..&%3cV..Qw.......THTTP/1.1 200 OK%0a%3c Location: http://192.168.0.6:1784/%0a%3c Cache-Control: max-age=1800%0a%3c Server: WebOS/4.1.0 UPnP/1.0%0a%3c EXT: %0a%3c USN: uuid:d4804a8c-4e4c-d395-9449-a9a7c29f068c%0a%3c ST: uuid:d4804a8c-4e4c-d395-9449-a9a7c29f068c%0a%3c Date: Sat, 25 Jul 2020 00:47:16 GMT%0a%3c %0a%3c %0a%3c 16:47:17.412939 175.38.60.86.35166 > 198.251.81.119.51343: [udp sum ok] udp 254 (DF) (ttl 55, id 54855, len 282)%0a%3c E....G@.7.h..&%3cV..Qw.^.....CHTTP/1.1 200 OK%0a%3c Location: http://192.168.0.6:1198/%0a%3c Cache-Control: max-age=1800%0a%3c Server: WebOS/1.5 UPnP/1.0 webOSTV/1.0%0a%3c EXT: %0a%3c USN: uuid:a07c4f49-c398-4af6-ae82-8a238832609f::upnp:rootdevice%0a%3c ST: upnp:rootdevice%0a%3c Date: Sat, 25 Jul 2020 00:47:16 GMT%0a%3c %0a%3c %0a%3c 16:47:17.412947 175.38.60.86.35166 > 198.251.81.119.51343: [udp sum ok] udp 263 (DF) (ttl 55, id 54856, len 291)%0a%3c E..#.H@.7.h..&%3cV..Qw.^....98HTTP/1.1 200 OK%0a%3c Location: http://192.168.0.6:1198/%0a%3c Cache-Control: max-age=1800%0a%3c Server: WebOS/1.5 UPnP/1.0 webOSTV/1.0%0a%3c EXT: %0a%3c USN: uuid:a07c4f49-c398-4af6-ae82-8a238832609f%0a%3c ST: uuid:a07c4f49-c398-4af6-ae82-8a238832609f%0a%3c Date: Sat, 25 Jul 2020 00:47:16 GMT%0a%3c %0a%3c %0a%3c 16:47:17.412953 220.180.203.103 > 198.251.81.119: icmp: 220.180.203.103 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 52, id 29236, len 146)%0a%3c E...r4..4.R....g..Qw..gP....E..v!......)..Qw...g...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412960 190.39.49.229 > 198.251.81.119: icmp: 190.39.49.229 udp port 1900 unreachable [icmp cksum ok] [tos 0xc8] (ttl 53, id 60367, len 146)%0a%3c E.......5..T.'1...Qw..z.....E(.v.P....9...Qw.'1....l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412987 222.72.109.78 > 198.251.81.119: icmp: 222.72.109.78 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 53, id 62228, len 146)%0a%3c E.......5.-..HmN..Qw..gP....E .v!.....CX..Qw.HmN...l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c %0a%3c %0a%3c 16:47:17.412999 117.247.154.139 > 198.251.81.119: icmp: 117.247.154.139 udp port 1900 unreachable [icmp cksum ok] (ttl 50, id 863, len 146)%0a%3c E...._..2.\.u.....Qw..lE....E..v.......k..Qwu......l.b..M-SEARCH * HTTP/1.1%0a%3c Host:239.255.255.250:1900%0a%3c ST:ssdp:all%0a%3c Man:"ssdp:discover"%0a%3c MX:3%0a%3c @]%0a
31 5127fd58 2021-12-17 jrmu host:1608087396=198.251.81.119
32 5127fd58 2021-12-17 jrmu author:1608087239=jrmu
33 5127fd58 2021-12-17 jrmu diff:1608087239:1608087239:=1,21d0%0a%3c (:title SSDP Attacks:)%0a%3c %0a%3c !! SSDP Attacks%0a%3c %0a%3c %0a%3c SSDP packets Your server is flooded with packets from Universal Plug and Play (UPnP) devices%0a%3c %0a%3c !! Sample Pcap%0a%3c %0a%3c Many devices today use Universal Plug and Play (UPnP) in order to communicate. They use the Simple Service Discovery Protocol (SSDP) to tell other devices that they exist on the network. For example, a UPnP printer would broadcast all services it has to offer to all devices on the network. Attackers can spoof traffic to take advantage of these plug-and-play devices in an amplification attack. The attackers messages these UPnP devices using your IP address, and the devices reply with a message that is much larger than the original message. This amplifies the attack and floods your server with useless SSDP packets.%0a%3c %0a%3c !! How to Block%0a%3c %0a%3c First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are [[openbsd/buyvm|BuyVM]], check the [[https://manage.buyvm.net|web panel]] to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.%0a%3c %0a%3c Using the [[openbsd/pf|packet filter]] firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c ext_ip="192.168.0.1"%0a%3c block drop quick proto udp from any to $ext_ip port 1900%0a%3c @]%0a\ No newline at end of file%0a
34 5127fd58 2021-12-17 jrmu host:1608087239=198.251.81.119