Re: UDP port 1345 (VPJP ??)

[MadHat <madhat () UNSPECIFIC COM>]

Bill Royds wrote:
> IP numbers from 224.x.x.x and above are multicast addresses. They should
> normally be blocked from routing outside your local network. Check that someone
> is not listening to broadcast video/music.

multicast is 224.0.0.0 - 239.255.255.255

unfortunatley most streaming media servers will use random ports after
the initial connection, but the initial connection will be a static port
(but not to a multicast address).  Check your logs for a TCP connection
to 554 (real 5/pnm), 7070(real G2/rtsp), or 1755(windows Media).

Streaming media is often confused by firewalls and IDSs as floods or
attacks as well, since the initial request is sent via TCP, but the
stream will come back on UDP and usually in great numbers depending on
the encoding bit rate.

AFAIK, the multicast address has to be used in conjunction with a "real"
address of the server, and all routers between the client and the server
has to support multicast, or a multicast or gre tunnel has to exist to
bypass (in a sence) the non multicast routers.

The list of people who activitly support multicast can be found at
http://www.ipmulticast.com/isplist.htm


> Jacco Braat <Jacco.Braat () START NL> on 11/02/2000 12:15:25
>
> Please respond to Jacco Braat <Jacco.Braat () START NL>
>
>  To:      INCIDENTS () SECURITYFOCUS COM
>
>  cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)
>
>  Subject: UDP port 1345 (VPJP ??)
>
> Hi,
>
> I have traffic from inside my network (mutltiple stations) to outside
> (229.55.150.208) UDP port 1345.
> In every list i look this is called VPJP.
> Does anyone know what this is?

--
MadHat at unspecific.com
                                   "The 3 great virtues of a programmer:
                                      Laziness, Impatience, and Hubris."
                                                 --Larry Wall