Block all SSDP Traffic

Dear community,
the firewall is generally working on my OpenWRT router (TD-W8970). 4 computers are connected via LAN cables with the router. However I'm facing some SSDP packets, that I don't want to be carried around my network. They use the UDP port 1900, but they aren't UDP, they're SSDP. So trying to block these network ports with the following rule doesn't work:

config rule
option name 'NOSSDP'
option proto 'ssdp'
option src_port '1900'
option dest_port '1900'
option family 'any'
option target 'DROP'

option proto as 'udp' doesn't change the situation either. Is it the wrong approach to use /etc/config/firewall for the task of denying all the SSDP packets?

they are or they aren't? if they aren't then try not defining ports or defining the family...

see the default igmp or esp rules for reference... failing that... there is always firewall.user

1 Like

If your traffic doesn't match the following description, then it's likely not SSDP:

It is definetly SSDP traffic here. It uses the UDP port 1900, as it says in the wiki article too. Requests from one computer (running the program PowerDVD, which is the source of the SSDP calls) to 239.255.255.250, so Multicast.

Using SSDP in firewall.user like that unfortuneatly doesn't work:
iptables -A INPUT -p ssdp --dport 1900 -j DROP

... because the response when restarting the firewall is:
iptables v1.8.3 (legacy): unknown protocol "ssdp" specified

Additionally to "INPUT", I also made entries for "OUTPUT" and "FORWARD" to definetly have every case on the list.

Now, I've read somewhere that using iptables with strings can be used for filtering SSDP. Installing iptables-mod-filter on my device was necessary for that. I'm experimenting with that at the moment.

SSDP works over UDP, so you must address it as 1900/udp.
This should be configured along with the following isolation means:

3 Likes

Traffic between nodes in your network travel through the switch and do not reach the CPU; you cannot use iptables rules to block traffic between nodes.

You first need to use VLANs to separate each ethernet port, then bridge them at the CPU level, and finally use ebtables to block traffic.

4 Likes

or turn on bridge iptables ... but beware this whole method is a CPU intensive process and will slow down all LAN traffic. The real question is why do you want to stop this traffic?

3 Likes

Ah! That was the talking about level 2 and level 3. Good to know.

SSDP... well, there was a Cloudflare report of it being used for DDos-attacks. For me, it's more about learning to set up my router. I want to be able to block everything. Ugaaaa.

Is it right that only the ports if the first VLAN are allowed to log in the device with LuCi? It was the case in the example, the wiki showed us.


My goal is to make all four ports being able to connect to the internet. Do I need to create a bridge interface, or is it right to just stick all the interfaces together in one LAN interface? Unfortuneatly with this configuration, only the first VLAN (Port 2, my main computer) gets a DHCP address. Could you tell me, what I'm doing wrong?

Wait... do you want to block SSDP "around your network"? or block SSDP "being used as a DDOS-attack"? Do you worry about SSDP inside your network, or going outside your network?

3 Likes

First, I'd like to see how blocking SSDP around my local network can be achieved. Then afterwards I can care about outgoing traffic. That will be another story.

  • Local [broadcast] traffic does not pass a firewall.
  • Additionally, usually multicast packets only have a TTL of 1, meaning a router drops them anyways.
  • Most ISPs are not multicast enabled to other networks.
  • Machines usually have to be running software to listen for/receive multicast traffic

You'd have to block udp/1900 on all LAN machines.

Can you show this to us?

:bulb: Why don't you disable/block it on this one computer then?
(e.g. tell Windows Firewall that the PowerDVD EXE cannot use the network...or cannot go to LAN...or cannot go to the multicast subnet/SSDP IP, etc.)

2 Likes

Sure, here is the link to Cloudflare complaining about the "Stupid Simple DDos Protocol": https://blog.cloudflare.com/ssdp-100gbps/

I don't want to learn how to configure insulated solutions, I want to be powerful with OpenWRT across different devices (Linux, Windows, old, new). If it would be that easy! But thank you so far, I'm understanding more now!

Ehm... I'm a bit paranoid with my network. It's not that much about PowerDVD now. It could be every other software, chatting over the network without asking. Some might not even be configureable! Microsoft systems... well, they have their use cases, but blindly trusting it online, no, 0%. Microsoft opened up the Hosts file so that certain Microsoft servers can't be blocked anymore (since XP)! Maybe type in "dnsapi.dll Hosts" in your search engine of choice, to find more about that.

The following is true for OpenWrt by default:

  • UPnPd is not installed.
  • Firewall restricts incoming WAN traffic including 1900/UDP.

Problem solved.

2 Likes

???

Maybe you're confused, the OpenWrt cannot block traffic that never passes it. Since you control the source machine (I assume), you just stop it from producing the traffic, simple. Also as already noted, WAN traffic is blocked by default on OpenWrt.

Then you want a military-grade network. In most other use cases, LAN traffic is trusted.

Is this OpenWrt related - or related to your inquiry about blocking SSDP???

I don't understand how this article relates to what you're trying to block.

2 Likes

The one way I could imagine this attack bypassing OpenWrts firewall is if there's a compromised host on your LAN sending spoofed packets to your LAN and inducing LAN devices to send SSDP responses to an internet host.

You can mitigate this by dropping all UDP traffic from port 1900 headed to the wan zone.

But note, if there's a compromised host on your LAN it could just flood the uplink with attack packets by itself there'd be no need to induce other LAN hosts to do so. Therefore this mitigation procedure is only barely relevant.

2 Likes

Acutally when I think about it... the example about SSDP is not that important, it was just an example of some kind of traffic, that didn't got blocked by the firewall (for the reason of it being LAN-to-LAN traffic). Thank you, you've helped me to undestand firewalls better!

1 Like