dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1413
share rss forum feed


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

2 edits

Blocked UPnP means that your network is broken?

quote:
UPnP: Some "Internet" problems users face are actually due to the NAT or "home gateway", rather than the Internet itself. Netalyzr now actively tries to determine the location of your gateway device via UPnP (Universal Plug and Play). If successful, it can ask the device for information about itself, providing valuable data points to help us determine whether particular gateway models exhibit specific problems.

said by Netalyzer test results :
NAT support for Universal Plug and Play (UPnP) (?): Broken
The UPnP request broadcast succeeded, but the subsequent HTTP transfer failed with status code 404. You may view the raw data returned by the device here.
HTTP/1.1 404 Not Found
Connection: close
Date: Thu, 28 Apr 2011 18:28:33 GMT


Netalyzr's opinion that a network is "broken" if UPnP is disabled is just that, an opinion (and from a network security standpoint, not a very good opinion). I have to wonder if ICSI's gateway router(s) allow its users to use UPnP?
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


Napsterbater
Meh
Premium,MVM
join:2002-12-28
Milledgeville, GA

I complaining that its broken not disabled not enabled, but BROKEN.

I have a Cisco 877 that dose not support UPNP the test didn't complain.

If UPNP is disabled it should not respond at all but your router did and then gave a 404 error.


nweaver

join:2010-01-13
Napa, CA

1 recommendation

reply to NetFixer

We consider it interesting when UPNP is allowed but broken:

If there is no UPnP, its reported as such. (Not being able to access UPnP may be also limited by local firewalls, and the test is not run if you aren't behind a NAT).

What we report as broken is when there is something which responds to our UPnP multicast query BUT when we try to get the .xml from the device (to ask "what are you and what can you do" following the UPnP spec [1]) it doesn't give us a response or gives an error code or a broken response (eg, a blob of Javascript rather than XML).

However, given the sheer diversity of 400s, 404s, javascript blobs, etc, we do wonder whether some implementations are just not liking web-browser user-agents (we use the browser user-agent string) in delivering the .xml file.

[1] UPnP works by first sending a multicast request saying "Hey, is anyone of thingy-type X aronud". Those things reply with a URL that you can then connect to to get the actual information through HTTP.

Its when we see the reply BUT can't fetch the URL that it complains about a possible problem.


C Kreibich

join:2011-04-22

1 recommendation

reply to NetFixer

What Netalyzr is pointing out here is an actual bug in your device's UPnP support: the UDP-based discovery process works in principle: the client learns the URL at which the device's UPnP profile can be retrieved. However, trying to do so yields an HTTP 404 error. This is broken UPnP support in your gateway device, which we flag accordingly.


Celexi

join:2009-12-27
portugal

My Router UPNP is working fine and i still get the same:

HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 112

HTTP/1.0 404 Not Found
HTTP/1.0 404 Not Found.

Which is a bit strange.


nweaver

join:2010-01-13
Napa, CA

We have some thought on some tests which might work better. If you are willing, email netalyzr-help@icsi.berkeley.edu

We're trying to figure out in more detail why so many systems are failing the UPnP test by sending back 404s or other errors when we attempt to probe for more details.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

2 edits
reply to C Kreibich

said by Napsterbater:

I complaining that its broken not disabled not enabled, but BROKEN.

I have a Cisco 877 that dose not support UPNP the test didn't complain.

If UPNP is disabled it should not respond at all but your router did and then gave a 404 error.

said by nweaver:

We consider it interesting when UPNP is allowed but broken:

If there is no UPnP, its reported as such. (Not being able to access UPnP may be also limited by local firewalls, and the test is not run if you aren't behind a NAT).

What we report as broken is when there is something which responds to our UPnP multicast query BUT when we try to get the .xml from the device (to ask "what are you and what can you do" following the UPnP spec [1]) it doesn't give us a response or gives an error code or a broken response (eg, a blob of Javascript rather than XML).

said by C Kreibich:

What Netalyzr is pointing out here is an actual bug in your device's UPnP support: the UDP-based discovery process works in principle: the client learns the URL at which the device's UPnP profile can be retrieved. However, trying to do so yields an HTTP 404 error. This is broken UPnP support in your gateway device, which we flag accordingly.

The only place I can find where you did your UPnP test in my local PC firewall logs or any router log on my network, is in the local PC firewall log. I have reproduced the entries below:

Time                 Action    Severity Direction  Protocol Remote Host                                      Remote MAC         Remote Port  Local Host        Local MAC           Local Port  Application Name                         User    Domain  Security  Rule
 
04/28/2011 13:28:26  Blocked   10       Incoming   UDP      192.168.10.100                                   00-0F-B5-81-A6-C9  15580        239.255.255.250   01-00-5E-7F-FF-FA   1900                                                 myname  DCS_NET Normal    Block UPnP Traffic
04/28/2011 13:28:26  Allowed   10       Outgoing   UDP      239.255.255.250                                  01-00-5E-7F-FF-FA  1900         192.168.10.100    00-0F-B5-81-A6-C9   15580       C:\Program Files\SeaMonkey\seamonkey.exe myname  DCS_NET Normal    Ask all running apps
04/28/2011 13:28:26  Allowed   10       Outgoing   TCP      n3.netalyzr.icsi.berkeley.edu [174.129.176.88]   00-16-B6-86-E8-EE  80           192.168.10.100    00-0F-B5-81-A6-C9   15561       C:\Program Files\SeaMonkey\seamonkey.exe myname  DCS_NET Normal    Ask all running apps
 
 

The local PC firewall blocked the inbound UPnP traffic (as it should have). The only anomaly I can see is the device using MAC address 01-00-5E-7F-FF-FA which responded to your UPnP probe. I do not have a device with that MAC address on my network, and I will certainly be checking into how/where that response came from. You certainly did send an html request to my gateway router following your UPnP probe, but it was not my router who responded (and I do find that troubling, so thank you for finding a potential problem, even if it was not the problem your test was looking for).

I plan on running this test again later today and doing a full packet capture, but I can't do it right now as I have to leave for an appointment with a client. If someone from ICSI would like the results of that test and/or the captured packet, let me know.

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

nweaver

join:2010-01-13
Napa, CA

We'd love to.

Please email netalyzr-help@icsi.berkeley.edu

We also have a beta test version which may help as well.

Thanks!



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
·Comcast

1 edit

said by nweaver:

We'd love to.

Please email netalyzr-help@icsi.berkeley.edu

We also have a beta test version which may help as well.

Thanks!

Sending you the packet captures probably won't be necessary.

Once I did the packet captures I could see that the UPnP response was coming from a recently installed Netgear WNR1002v2-VC wireless router that was supplied to me at no cost by my ISP Comcast (how could I refuse a free router?). It is a residential grade wireless router that I am only using as an access point. It seems that even though I disabled UPnP in its html setup menu, it was still responding to UPnP queries (it also seems that you get what you pay for).

After I temporarily disabled the LAN switch port that it used, I no longer got the UPnP broken message in the test results. My next step was to manually create a real UPnP block rule for my local PC firewalls instead of relying on the GUI menu check box that claimed to disable UPnP (but which obviously only disabled inbound UPnP traffic). With that rule in place, your test now tags my UPnP support as "Not found" instead of "Broken" even with the "Broken" Netgear WiFi router back on the network. "Not found" is good, if I had seen "Not found" in the original test I ran, this sub-thread would not even exist.

As for the 01-00-5e-7f-ff-fa MAC address, that appears to just be the default MAC address used for multi-cast UPnP (and also my ignorance showing because I had never really done anything with UPnP except to disable it). Now, thanks to your test I can really be sure that it is disabled.

Anyway, your test's conclusion that a device was incorrectly answering a UPnP probe was correct. It just was not the default gateway router that was replying. That my PC's firewall was blocking UPnP replies, but allowing outbound UPnP queries just added to the situation because your test could not see the replies from my WiFi router (which it should not have been sending anyway). Thanks for a good network test and the education on what the UPnP "Broken" test result actually meant (it helped me to tighten up my network security one more notch).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

nweaver

join:2010-01-13
Napa, CA

UPnP bug fixed...

Thanks to all who helped, we've fixed the UPnP bug.

Thanks!