General Networking/Lan/Wan/UPnP?

Advertisement


Question
QUESTION: Hello,

I am using Windows XP and Privatefirewall 7.0.Today when I was viewing my firewall log, I noticed there had been incoming UDP packets from IP address 192.168.1.1 , which if I'm right is my router.My laptop is connected to the router via Wifi.The internet
connection is private and Im not using other devices so I don't understand why my router sent me UPnP packets.

So in the advanced report it says:

Remote IP: 192.168.1.1:1900(UPnP)
Local IP:  192.168.1.2:1912
Protocol:UDP(17)

So my question would be:
Do you think this was a hacker?
Are there any other reasons?

ANSWER: Hi John,

Rethimno?!!!  We were there a few years ago, at the start of their economic issues, and spent about 9-10 days on Crete, in various spots and had a great time.

>> I am using Windows XP and Privatefirewall 7.0.Today when I was viewing my firewall log, I noticed there had been incoming UDP packets from IP address 192.168.1.1 , which if I'm right is my router.

Correct - that's your router but it's not "really" your router - it's some PC somewhere on the Internet - but your router is ADMITTING the packet and FORWARDING it to your LAN.  That is not good.  You should check your security settings on your router/firewall.

Check that stuff and please get back to me.  Screen shots might help?

>>  Do you think this was a hacker?

Well let's see why those packets are even being ALLOWED in ... and take it from there.

J.

---------- FOLLOW-UP ----------

QUESTION: Thanks for your quick answer.I just disabled UPnP on my router and installed another firewall.I also ran a Malware test but I found no malware.Could it be ndisuio.sys which usually uses port 1900?Or is it a hacking attempt?

ANSWER: it's good news that you found no malware - did you try malwarebytes.com?  I like their stuff!  If you haven't tried that, do so - it'll be free and their software is very good.

it's interesting that you had to disable upnp on your router.  By DEFAULT - no inbound connections should be allowed unless they are in response to a packet that you initiated from inside - unless you have a DMZ IP configured Have you been messing about with your rules on the router???

It doesn't SOUND like a hacking attempt per se ...but thankfully all those packets were being dropped anyway.  I wouldn't get too worries about it - but certainly you want your Router to be configured to be conservative.  About the only inbound udp packets that you would want to be passed are DNS and perhaps some gaming ports - depending on the game.  Most games don't require any special firewall rules but there are exceptions to this.

J.

---------- FOLLOW-UP ----------

QUESTION: How do we know the packets were dropped?The firewall said the transfer hadn't been blocked.Last question : If a router that has UPnP enabled sends an SSDP notify mmessage to the laptop would it ever send it to port 1912?or is it always 1900?

Answer
Ah sorry - I assumed (bad of me) that your PC Firewall had dropped those - because pc firewall's normally only log Dropped packets unless explicitly configured otherwise by you.  My bad.  Firewalls should always be configured to drop EVERYTHING that isn't explicitly allowed (desired).

>> If a router that has UPnP enabled sends an SSDP notify mmessage to the laptop would it ever send it to port 1912?or is it always 1900?

From what I've gathered from some targeted searches, SSDP is normally 1900, but again security isn't my forte.

J.  

General Networking/Lan/Wan

All Answers


Answers by Expert:


Ask Experts

Volunteer


Jeff K

Expertise

I'm a Network and Application Performance Specialist, and have worked for some of the best software companies in the world.

Experience

I have over 20 years in Information Technology & Networking.

Education/Credentials
Lots of hard work, study and real-world experience. I've had some formal training along the way but most of my knowledge is from working in the field, not the classroom.

©2016 About.com. All rights reserved.