Can anyone tell me the reason as to why Windows applications have to send data through Multicast 224.0.0.1...











up vote
-1
down vote

favorite












So I have DNS Client, IGMP, and UPnP all disabled in Windows 8 yet Windows applications such as Chrome, GoogleUpdate, and Windows Activation executable still tries so hard to send outbound UDP frames to 224.0.0.1 even though I just connected a modem with no Internet connection and no other device connected to it.



To me, these applications sending these multicast traffic is like saying to the multicast group "Hey I'm using Google Chrome", "Hey I'm about to update my Google Chrome", "Hey my Windows is not yet activated". From a security point of view, this is bad, real bad. Like why in the world would these things have to send multicast traffic if you haven't even told them to do so for a specific purpose?



With this in mind, I would like to kindly ask if anyone out there actually knows for what purpose was this design implemented and for what purpose would apps like the one I mentioned above would need to perform multicast communications.










share|improve this question


















  • 1




    Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
    – grawity
    Nov 27 at 5:50












  • Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
    – Mystes
    Nov 27 at 6:18






  • 1




    The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
    – Mystes
    Nov 27 at 6:20










  • My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
    – Austin Hemmelgarn
    Nov 27 at 20:45















up vote
-1
down vote

favorite












So I have DNS Client, IGMP, and UPnP all disabled in Windows 8 yet Windows applications such as Chrome, GoogleUpdate, and Windows Activation executable still tries so hard to send outbound UDP frames to 224.0.0.1 even though I just connected a modem with no Internet connection and no other device connected to it.



To me, these applications sending these multicast traffic is like saying to the multicast group "Hey I'm using Google Chrome", "Hey I'm about to update my Google Chrome", "Hey my Windows is not yet activated". From a security point of view, this is bad, real bad. Like why in the world would these things have to send multicast traffic if you haven't even told them to do so for a specific purpose?



With this in mind, I would like to kindly ask if anyone out there actually knows for what purpose was this design implemented and for what purpose would apps like the one I mentioned above would need to perform multicast communications.










share|improve this question


















  • 1




    Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
    – grawity
    Nov 27 at 5:50












  • Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
    – Mystes
    Nov 27 at 6:18






  • 1




    The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
    – Mystes
    Nov 27 at 6:20










  • My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
    – Austin Hemmelgarn
    Nov 27 at 20:45













up vote
-1
down vote

favorite









up vote
-1
down vote

favorite











So I have DNS Client, IGMP, and UPnP all disabled in Windows 8 yet Windows applications such as Chrome, GoogleUpdate, and Windows Activation executable still tries so hard to send outbound UDP frames to 224.0.0.1 even though I just connected a modem with no Internet connection and no other device connected to it.



To me, these applications sending these multicast traffic is like saying to the multicast group "Hey I'm using Google Chrome", "Hey I'm about to update my Google Chrome", "Hey my Windows is not yet activated". From a security point of view, this is bad, real bad. Like why in the world would these things have to send multicast traffic if you haven't even told them to do so for a specific purpose?



With this in mind, I would like to kindly ask if anyone out there actually knows for what purpose was this design implemented and for what purpose would apps like the one I mentioned above would need to perform multicast communications.










share|improve this question













So I have DNS Client, IGMP, and UPnP all disabled in Windows 8 yet Windows applications such as Chrome, GoogleUpdate, and Windows Activation executable still tries so hard to send outbound UDP frames to 224.0.0.1 even though I just connected a modem with no Internet connection and no other device connected to it.



To me, these applications sending these multicast traffic is like saying to the multicast group "Hey I'm using Google Chrome", "Hey I'm about to update my Google Chrome", "Hey my Windows is not yet activated". From a security point of view, this is bad, real bad. Like why in the world would these things have to send multicast traffic if you haven't even told them to do so for a specific purpose?



With this in mind, I would like to kindly ask if anyone out there actually knows for what purpose was this design implemented and for what purpose would apps like the one I mentioned above would need to perform multicast communications.







networking windows-8 google-chrome multicast






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 27 at 3:26









Mystes

11




11








  • 1




    Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
    – grawity
    Nov 27 at 5:50












  • Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
    – Mystes
    Nov 27 at 6:18






  • 1




    The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
    – Mystes
    Nov 27 at 6:20










  • My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
    – Austin Hemmelgarn
    Nov 27 at 20:45














  • 1




    Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
    – grawity
    Nov 27 at 5:50












  • Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
    – Mystes
    Nov 27 at 6:18






  • 1




    The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
    – Mystes
    Nov 27 at 6:20










  • My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
    – Austin Hemmelgarn
    Nov 27 at 20:45








1




1




Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
– grawity
Nov 27 at 5:50






Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
– grawity
Nov 27 at 5:50














Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
– Mystes
Nov 27 at 6:18




Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
– Mystes
Nov 27 at 6:18




1




1




The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
– Mystes
Nov 27 at 6:20




The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
– Mystes
Nov 27 at 6:20












My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
– Austin Hemmelgarn
Nov 27 at 20:45




My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
– Austin Hemmelgarn
Nov 27 at 20:45










1 Answer
1






active

oldest

votes

















up vote
0
down vote



accepted










I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.






share|improve this answer








New contributor




Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


















  • Can you share what is what you found?
    – Stese
    yesterday










  • I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
    – Mystes
    yesterday












  • Malwarebytes antimalware to the rescue! :)
    – Stese
    yesterday











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1378633%2fcan-anyone-tell-me-the-reason-as-to-why-windows-applications-have-to-send-data-t%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote



accepted










I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.






share|improve this answer








New contributor




Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


















  • Can you share what is what you found?
    – Stese
    yesterday










  • I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
    – Mystes
    yesterday












  • Malwarebytes antimalware to the rescue! :)
    – Stese
    yesterday















up vote
0
down vote



accepted










I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.






share|improve this answer








New contributor




Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.


















  • Can you share what is what you found?
    – Stese
    yesterday










  • I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
    – Mystes
    yesterday












  • Malwarebytes antimalware to the rescue! :)
    – Stese
    yesterday













up vote
0
down vote



accepted







up vote
0
down vote



accepted






I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.






share|improve this answer








New contributor




Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.







share|improve this answer








New contributor




Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this answer



share|improve this answer






New contributor




Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









answered yesterday









Mystes

11




11




New contributor




Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Can you share what is what you found?
    – Stese
    yesterday










  • I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
    – Mystes
    yesterday












  • Malwarebytes antimalware to the rescue! :)
    – Stese
    yesterday


















  • Can you share what is what you found?
    – Stese
    yesterday










  • I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
    – Mystes
    yesterday












  • Malwarebytes antimalware to the rescue! :)
    – Stese
    yesterday
















Can you share what is what you found?
– Stese
yesterday




Can you share what is what you found?
– Stese
yesterday












I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday






I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday














Malwarebytes antimalware to the rescue! :)
– Stese
yesterday




Malwarebytes antimalware to the rescue! :)
– Stese
yesterday


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1378633%2fcan-anyone-tell-me-the-reason-as-to-why-windows-applications-have-to-send-data-t%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Probability when a professor distributes a quiz and homework assignment to a class of n students.

Aardman Animations

Are they similar matrix