solution first, you can use the program located here http://grc.com/unpnp/unpnp.htm to disable the upnp service.
I've noticed several things in Windows that I never fully understood before.
Lets start off with a few basics.
IP address range 220.127.116.11 mask 240.0.0.0 has a default route in the windows
Whistler, upon booting sends several packets to 18.104.22.168 port 1900
As far as I can tell, both the 224 range and this 239 address are some sort
of multicast address. I believe the 239 should be routed locally or
something to prevent internal data from going out to the public internet.
But it's not and I don't understand why or why windows is trying to contact
Both Windows ME and Whistler appear to send packets to the 239 address upon
bootup. I have found messages via google where people noticed a huge
increase in traffic to these locations (no doubt from all the people booting
whistler or ME while connected to the net.)
Ok so while investigating this I found the below at
If an IPP Printer is configured to advertise IPP using SSDP, it MUST send a
multicast request with method NOTIFY and ssdp:alive in the NTS header in the
NOTIFY * HTTP/1.1
CACHE-CONTROL: max-age = seconds until advertisement expires
LOCATION: URL for IPP Printer with 'ipp' scheme
NT: search target
SERVER: OS / version, IPP / 1.1, product / version
USN: advertisement UUID
Such a device also supports UPnP, it SHOULD be configurable to advertise
UPnP. See UPnP Print Device and Print Service Templates.
As it happens this is an exact match for the packets I see going out each
time I boot whistler.
Next I found this at http://www.upnp.org/draft_cai_ssdp_v1_03.txt
Changed SSDP multicast message examples to use the reserved relative
multicast address "5" provided by IANA. In the local administrative
scope, the only scope currently used by SSDP, this address
translates to 22.214.171.124.
INTERNET-DRAFT SSDP/V1 October 28, 1999
A mechanism is needed to allow HTTP clients and HTTP resources to
discover each other in local area networks. That is, a HTTP client
may need a particular service that may be provided by one or more
HTTP resources. The client needs a mechanism to find out which HTTP
resources provide the service the client desires.
For the purposes of this specification the previously mentioned HTTP
client will be referred to as a SSDP client. The previous mentioned
HTTP resource will be referred to as a SSDP service.
In the simplest case this discovery mechanism needs to work without
any configuration, management or administration. For example, if a
user sets up a home network or a small company sets up a local area
network they must not be required to configure SSDP before SSDP can
be used to help them discover SSDP services in the form of Printers,
Scanners, Fax Machines, etc.
It is a non-goal for SSDP to provide for multicast scope bridging or
for advanced query facilities.
Now the question, can anyone explain to me what the hell this is all about?
Is the default route for 126.96.36.199 really wrong because it doesn't include
the 239 address and so my machine is sending packets out on the internet
that are really meant to be local broadcast packets of some sort but because
of an incorrect route in the routing table they go out to the net?
As an ISP, should I be blocking 188.8.131.52 from being routed out to the
general internet? It appears to me that this is the address used by Upnp to
discover local network connected Upnp devices. If that's the case then there
is a pretty major screwup in the works as more and more windows machines
come on line sending packets to this internet address.
Anyone know the story here?
more information. Newer versions of windows are using 184.108.40.206 as a sort of broadcast address to announce the presence of a machine on the network (sort of like a netbeui broadcast).
Anyway, what I was seeing is a misconfiguration in some DSL routers where there is no multicast route (220.127.116.11). In this case the traffic is being passed out to the net via the default 0.0.0.0 route. If you have such a router then I would suggest routing at least this one address back to your internal network or to null so that the traffic doesn't go out to the general internet announcing your machine.