solution first, you can use the program located here http://grc.com/unpnp/unpnp.htm to disable the upnp service.

 

I've noticed several things in Windows that I never fully understood before.
Lets start off with a few basics.

IP address range 224.0.0.0 mask 240.0.0.0 has a default route in the windows
routing table.
Whistler, upon booting sends several packets to 239.255.255.250 port 1900

As far as I can tell, both the 224 range and this 239 address are some sort
of multicast address. I believe the 239 should be routed locally or
something to prevent internal data from going out to the public internet.
But it's not and I don't understand why or why windows is trying to contact
this address.

Both Windows ME and Whistler appear to send packets to the 239 address upon
bootup. I have found messages via google where people noticed a huge
increase in traffic to these locations (no doubt from all the people booting
whistler or ME while connected to the net.)

Ok so while investigating this I found the below at
http://www.pwg.org/hypermail/pwg-ipp/0060.html

------------------
If an IPP Printer is configured to advertise IPP using SSDP, it MUST send a
multicast request with method NOTIFY and ssdp:alive in the NTS header in the
following format.

NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age = seconds until advertisement expires
LOCATION: URL for IPP Printer with 'ipp' scheme
NT: search target
NTS: ssdp:alive
SERVER: OS / version, IPP / 1.1, product / version
USN: advertisement UUID

Such a device also supports UPnP, it SHOULD be configurable to advertise
UPnP. See UPnP Print Device and Print Service Templates.
----------------

As it happens this is an exact match for the packets I see going out each
time I boot whistler.

Next I found this at http://www.upnp.org/draft_cai_ssdp_v1_03.txt

------------
Changed SSDP multicast message examples to use the reserved relative
   multicast address "5" provided by IANA. In the local administrative
   scope, the only scope currently used by SSDP, this address
   translates to 239.255.255.250.

--------------
and this
-------------
INTERNET-DRAFT                 SSDP/V1               October 28, 1999


   A mechanism is needed to allow HTTP clients and HTTP resources to
   discover each other in local area networks. That is, a HTTP client
   may need a particular service that may be provided by one or more
   HTTP resources. The client needs a mechanism to find out which HTTP
   resources provide the service the client desires.

   For the purposes of this specification the previously mentioned HTTP
   client will be referred to as a SSDP client. The previous mentioned
   HTTP resource will be referred to as a SSDP service.

   In the simplest case this discovery mechanism needs to work without
   any configuration, management or administration. For example, if a
   user sets up a home network or a small company sets up a local area
   network they must not be required to configure SSDP before SSDP can
   be used to help them discover SSDP services in the form of Printers,
   Scanners, Fax Machines, etc.

   It is a non-goal for SSDP to provide for multicast scope bridging or
   for advanced query facilities.
--------------

Now the question, can anyone explain to me what the hell this is all about?
Is the default route for 224.0.0.0 really wrong because it doesn't include
the 239 address and so my machine is sending packets out on the internet
that are really meant to be local broadcast packets of some sort but because
of an incorrect route in the routing table they go out to the net?

As an ISP, should I be blocking 239.255.255.250 from being routed out to the
general internet? It appears to me that this is the address used by Upnp to
discover local network connected Upnp devices. If that's the case then there
is a pretty major screwup in the works as more and more windows machines
come on line sending packets to this internet address.

Anyone know the story here?

Geo.

================================================

more information. Newer versions of windows are using 239.255.255.250 as a sort of broadcast address to announce the presence of a machine on the network (sort of like a netbeui broadcast).

Anyway, what I was seeing is a misconfiguration in some DSL routers where there is no multicast route (224.0.0.0). In this case the traffic is being passed out to the net via the default 0.0.0.0 route. If you have such a router then I would suggest routing at least this one address back to your internal network or to null so that the traffic doesn't go out to the general internet announcing your machine.