Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sudden appearance of SSDP through port 1900 from a public ip

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 72 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rasputinthegreatest
      last edited by rasputinthegreatest

      Hi guys. All of a sudden I am seeing a lot of spam in my firewall from a what I assume is my public IPv6 on port 1900 to my port 1900 on pfsense. I am running a double nat. I did a capture of the UDP packets and it is SSDP

      WAN 	Default deny rule IPv6 (1000000105) 	[A PUBLIC IPv6]:1900		[ff0e::c]:1900		UDP

      The capture says the following:

      NOTIFY * HTTP/1.1
Cache-Control: max-age=1800
Host: [ff0e::c]:1900
Location: http://[A PUBLIC IP]:49000/fboxdesc.xml
Server: FRITZ!Box UPnP/1.0 AVM FRITZ!Box 284.08.03
NT: upnp:rootdevice
NTS: ssdp:alive
USN: uuid:xxxxxxxxxx::upnp:rootdevice

      So it is coming from a file called fboxdesc.xml related to my Fritzbox. The whole request is getting blocked by the Default Deny IPv6

      I assume it is my public IPv6. My public ip is ::/64. So I am seeing my Public IPv6 and then a certain suffix behind it with "e456:aaef:as9a:11df". Since I have not much knowledge of ipv6 any information on what is happening here is appreciated. Thanks alot.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @rasputinthegreatest
        last edited by johnpoz

        @rasputinthegreatest not really a "request" its an announcement.. Hey you can see what services I offer here. with that location url.

        You can prob turn off UPnP on your fritzbox. Or it could be noise from someone elses fritzbox on same isp network.

        I would for sure make sure UPnP is disabled on your fritzbox - if its coming from some one else on the same isp network as you - you could setup a rule to not log that traffic.

        My guess is its your fritzbox - maybe you reset it and UPnP got enabled, or you enabled it?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        R 1 Reply Last reply Reply Quote 0
        • R
          rasputinthegreatest @johnpoz
          last edited by rasputinthegreatest

          @johnpoz So the prefix is my public ipv6 since it shows the same in my fritzbox and then a unique set of letters and numbers behind it. UPnP is already disabled on my fritzbox which is the weird part about it. I also didn't reset it. I am seeing it for the first time today. If I search the full IPv6 it also points to where I live.
          I will obfuscate my public IPv6 here but it looks like this:
          AAAA:AAAA:AAA:AAAA+b514:ccff:fe3b:13af
          In my fritzbox there is a setting for DNSv6-Server for home network.
          In this case the prefix is fdb5:827:b514:ccff:fe3b:13af
          But the suffix matches with what I am seeing in the public IPv6.
          Another thing I don't understand is that under IPv6 addresses in the fritzbox settings the public IPv6 prefix is supposed to be for the internal network and the public one starts the same but like this:

          Home network
AAAA:AAAA:AAA:AAAA::/64

Guest network
::/0

WAN
AAAA:AAAA:X:X::/64

          Just found another setting in fritzbox that says UPnP filter active and it was enabled. That blocks anyone being able to reach port 1900 from outside the internet on my fritzbox. So I assume what I captured is my internal network?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @rasputinthegreatest
            last edited by

            @rasputinthegreatest Not sure how fritz does IPv6. But fdb5 is ULA, if the address starts with FD its a ULA ipv6 prefix.

            I see hits to my IPv4 for SSDP (port 1900) but they are all from known scanners, that I block anyway. But what you posted from your capture is an announcement. FF0E is a global scope multicast address.

            That is a NOTIFY.. Something is announcing itself to the network.. Where exactly its coming from not sure - But if your fritzbox does ULA for handing out IPv6 to stuff behind it.. And uses a GUA on its internet side - it could just be sending that internally.. But it is multicast So it isn't going to be routed over the public internet. So it would have to be coming from your frtizbox - or something from the isp network that is on the same L2 network - but you would have to be in like bridge mode on your fritzbox to see it on pfsense.

            Personally if the log entries are bothering you, amounts to log spam - create a rule to not log it. My plex sever has a nasty habit of sending out searches.

            ssdpmsearch.jpg

            Every freaking 10 seconds.. I have not found a way to make it stop.. So I block it at the switch ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            R 1 Reply Last reply Reply Quote 0
            • R
              rasputinthegreatest @johnpoz
              last edited by

              @johnpoz I think it is internal too and probably fine. Where can I block the messages in the firewall log for just those SSDP messages? Is there a dedicated menu somewhere in pfsense? Also can you show me your rule for known scanners? I would like to block those too

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @rasputinthegreatest
                last edited by

                @rasputinthegreatest well blocking and not log would just be any any udp to that ff0e::c address or port 1900 anything, etc. And don't have it log.

                As to the scanners - that is a pfblocker alias I have.. And put that in a floating rule.

                scandeny.jpg

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.