PLease help, going crazy! IP 239.255.255.250 over and over

A little more info, but the thing to remember and pay attention to is that this is a local network protocol querying and accepting internal responces (that was its intended purpose anyway)

Technical description for port 1900:


The Microsoft SSDP service is officially registered with IANA as the protocol running on the network port 1900. This service is essentially associated with the automatic enabling of the discovery feature related with plug and play devices. This computer port is used to transmit data to identify the connection of UPnP capable devices to the system or network.
The SSDP (Simple Service Discovery Protocol) identified with the system port 1900 is basically an expired Internet draft undertaken by Hewlett-Packard and Microsoft Corporation. This discovery protocol provides for the mechanism that allows network clients to discover various available network services. The SSDP can be deployed with very little or no static configuration at all.
The SSDP service uses the port 1900 for the delivery of UDP multicast and unicast packets for the advertisement of its services.
The multicast address utilized by this protocol is supported by both the IPv4 and IPv6 technologies.

Services or applications using this port:
SSDP for UPnP (Universal Plug & Play) , Windows Alerter

Technical description for port 3702:

The prevailing protocol that is identified with the communication port 3702 is the WS-Discovery (Web Services Dynamic Discovery) which by default is utilized by an assortment of Microsoft Windows Vista Operating System components. This protocol represents a technical specification used in defining multicast discovery related protocols for locating services residing on local networks.
The protocol associated with the system port 3702 was developed through the collaboration of WebMethods, Microsoft, Intel, Canon and BEA Systems. This service allows the execution of actual communication among nodes which is accomplished via standard Web services. The most notable implementation of this protocol is in relation with Simple Object Access Protocol (SOAP).
The network 3702 protocol is based on the WCF multicast protocol to allow runtime discovery of computer services in the context of ad hoc computer networks.
This service provides the ability to discover addresses related to Web services on runtime. This protocol supports libraries on both the server and the client side.

Services or applications using this port:
Web Service Discovery (UPnP v2 Discovery)

Feel any safer?

Let me know what you think!

Sincerely,
Mike



BTW there are three posts to read (the first is re the svcs) a quickie, then a discription of your situation, and finally some reference material to back me up (located after the fact)

rubyrubyroo said:

the ports you mentioned are UDP UPNP ports - which means there's some process(es) on your system which are most likely not malicious, although I cant know for sure. But they are transmitting a message query intended for local network devices upnp's (such as a server, a printer, fax, etc) using the ip's you mentioned such as 239.255.255.250 and so on, so your computer detects this process trying to tx and stops it before it has a chance to get to your network, where you probably either no longer have the upnp's it's trying to reach, or it is just an artifact of unknown numerical origin! as for the SOC...1st off if you are as paranoid as you sound (to my trained ears/eyes) you sound like there might be a reason to be worried, no need to share, but it would tend to place more significance on the name. I suspect the IP that was intended to be used for entirely different purposes (like i said..local network com.) so the address would have a normal connection in the "Internet world" so it's probably in your DNS cache which you should flush, your hosts file which should be checked and kept up to date by your choice of methods (you sound like you can handle it, but I can get you some links to software and help you create a executable batch file that will automate much of the process. But I would stop, disable those two services and block the two ports as they are not necessary. No one is trying to find you or anything, for one because it would be such a crude and 95% failure rate prone, they would use a much more sophisticated method to hunt their prey. If the hosts and flushing do not stop the name, then the ip may simply belong to the SOC just like the other on I mentioned was a "sterile" or non transmitting/non receiving ip from IANA.

Sincerely,
:)Mike

Thank you. Out of all the people Ive been asking, this is by far the most informative response Ive gotten. But if you wouldnt mind helping me, Id be very greatful, as Im not as comp savvy as you are. I think I may have already disabled upnp, and ssdp.

So:
How do I close those ports 1900 and 3702? Also, if I close them, will it mess up my internet connection?

How do I flush my DNS Cache?

Also, a few weeks ago we had a major power outage in our area for 10 days. When the internet came back, I was assigned a new IP. It wasnt until a week or two after that did I see the SOC show up. Could that have anything to do with it? Ive been checking my PB everyday for the past year and have never seen it before. Why would I see this now? Can authorities use multicasting to snoop on you?

Thanks again. Looking forward to your reply.

rubyrubyroo said:

A little more info, but the thing to remember and pay attention to is that this is a local network protocol querying and accepting internal responces (that was its intended purpose anyway)

Technical description for port 1900:


The Microsoft SSDP service is officially registered with IANA as the protocol running on the network port 1900. This service is essentially associated with the automatic enabling of the discovery feature related with plug and play devices. This computer port is used to transmit data to identify the connection of UPnP capable devices to the system or network.
The SSDP (Simple Service Discovery Protocol) identified with the system port 1900 is basically an expired Internet draft undertaken by Hewlett-Packard and Microsoft Corporation. This discovery protocol provides for the mechanism that allows network clients to discover various available network services. The SSDP can be deployed with very little or no static configuration at all.
The SSDP service uses the port 1900 for the delivery of UDP multicast and unicast packets for the advertisement of its services.
The multicast address utilized by this protocol is supported by both the IPv4 and IPv6 technologies.

Services or applications using this port:
SSDP for UPnP (Universal Plug & Play) , Windows Alerter

Technical description for port 3702:

The prevailing protocol that is identified with the communication port 3702 is the WS-Discovery (Web Services Dynamic Discovery) which by default is utilized by an assortment of Microsoft Windows Vista Operating System components. This protocol represents a technical specification used in defining multicast discovery related protocols for locating services residing on local networks.
The protocol associated with the system port 3702 was developed through the collaboration of WebMethods, Microsoft, Intel, Canon and BEA Systems. This service allows the execution of actual communication among nodes which is accomplished via standard Web services. The most notable implementation of this protocol is in relation with Simple Object Access Protocol (SOAP).
The network 3702 protocol is based on the WCF multicast protocol to allow runtime discovery of computer services in the context of ad hoc computer networks.
This service provides the ability to discover addresses related to Web services on runtime. This protocol supports libraries on both the server and the client side.

Services or applications using this port:
Web Service Discovery (UPnP v2 Discovery)

Feel any safer?

Let me know what you think!

Sincerely,
Mike



BTW there are three posts to read (the first is re the svcs) a quickie, then a discription of your situation, and finally some reference material to back me up (located after the fact)

Kind of...lol
Feel free to make fun of me, but I suffer from bad anxiety, so yes...I am paranoid...and usually its for nothing.

Frank,

Ive been up for 48+hours so I appologize, for any incoherant communication, etc. I just fell out for a good hour or so and am awake again:) So bear w/me a little bit, please!

A you have a lot of very good questions and observations! And I mentioned before I could palpate the subtle anxiety in most of your post(s), and I try to choose my words carefully, as not to alarm you without proper cause. I'll try my best to answer your questions.

first maybe as I am typing slower than normal, maybe you could enlighten me on why you are worried, as you offered. If you prefer to be less public with any info, your welcome to PM me instead of posting live. either way it's fine if our messages cross out of order. okay?

Mike

oh, one last thing what exactly do you have in your home peer network how many computers, any printers and how do they connect to the network, as well as anthing else, and i assume your using a common brand router withpretty much standard defalut settings...

this might help a bit

actually the last entry in the log you posted is being sent by your computer by use of the reserved broadcast address 192.168.1.255 , which is always the last address available in a subnet. (assuming the subnet mask is 255.255.255.0). This can be used to speak to other devices looking for a particular "receiver" on the home network to respond to its request. but I'd rather not drag this out with assumptions, so Ill wait for a response from you before answering your Questions, as they could help me possibly see an obvious answer.

As i believe you have already disabled netBIOS on your computer, I will be back when you get a chance to reply with info. I won't forget to answer your previous questions though.

Sincerely
Mike

rubyrubyroo said:

Frank,

Ive been up for 48+hours so I appologize, for any incoherant communication, etc. I just fell out for a good hour or so and am awake again:) So bear w/me a little bit, please!

A you have a lot of very good questions and observations! And I mentioned before I could palpate the subtle anxiety in most of your post(s), and I try to choose my words carefully, as not to alarm you without proper cause. I'll try my best to answer your questions.

first maybe as I am typing slower than normal, maybe you could enlighten me on why you are worried, as you offered. If you prefer to be less public with any info, your welcome to PM me instead of posting live. either way it's fine if our messages cross out of order. okay?

Mike

Well in a nutshell, I had a roommate living with me for a little over a year. Someone who I though was a "friend" until he stopped paying rent and I found him with drugs in my home. Anyway, he was a very shady person, and he would spend countless hours online doing what I dont know. But I do know the internet has always been in my name, so needless to say, it worries me. I know for a fact he would use torrents for movies and such, but as far as I know, it all occured on his personal computer. But I dont know since he would be here when I wasnt and could access my comp all though I never saw any evidence of it.

rubyrubyroo said:

oh, one last thing what exactly do you have in your home peer network how many computers, any printers and how do they connect to the network, as well as anthing else, and i assume your using a common brand router withpretty much standard defalut settings...

this might help a bit

My cable, phone, and internet all run through the same modem. But I have two computers that connect wirelessly to the router and an ipod touch which has wireless internet access. Im using s Linksys WRT54GL router. Im pretty sure the settings are default, but I did disable UPnP.

rubyrubyroo said:

actually the last entry in the log you posted is being sent by your computer by use of the reserved broadcast address 192.168.1.255 , which is always the last address available in a subnet. (assuming the subnet mask is 255.255.255.0). This can be used to speak to other devices looking for a particular "receiver" on the home network to respond to its request. but I'd rather not drag this out with assumptions, so Ill wait for a response from you before answering your Questions, as they could help me possibly see an obvious answer.

As i believe you have already disabled netBIOS on your computer, I will be back when you get a chance to reply with info. I won't forget to answer your previous questions though.

Sincerely
Mike

My subnet mask does say 255.255.255.0 on my router. But what do you mean by "reverse broadcast"?! Im pretty sure I have disbaled netBIOS, but can you reiterate so I can be positive?

For the life of me, I cant figure out why it says SOC. Thats whats truly bothering me. Should I be?

PLease help me get some sleep