Can anyone tell me the reason as to why Windows applications have to send data through Multicast 224.0.0.1...
up vote
-1
down vote
favorite
So I have DNS Client, IGMP, and UPnP all disabled in Windows 8 yet Windows applications such as Chrome, GoogleUpdate, and Windows Activation executable still tries so hard to send outbound UDP frames to 224.0.0.1 even though I just connected a modem with no Internet connection and no other device connected to it.
To me, these applications sending these multicast traffic is like saying to the multicast group "Hey I'm using Google Chrome", "Hey I'm about to update my Google Chrome", "Hey my Windows is not yet activated". From a security point of view, this is bad, real bad. Like why in the world would these things have to send multicast traffic if you haven't even told them to do so for a specific purpose?
With this in mind, I would like to kindly ask if anyone out there actually knows for what purpose was this design implemented and for what purpose would apps like the one I mentioned above would need to perform multicast communications.
networking windows-8 google-chrome multicast
asked Nov 27 at 3:26
Mystes
11
add a comment |
up vote
-1
down vote
favorite
So I have DNS Client, IGMP, and UPnP all disabled in Windows 8 yet Windows applications such as Chrome, GoogleUpdate, and Windows Activation executable still tries so hard to send outbound UDP frames to 224.0.0.1 even though I just connected a modem with no Internet connection and no other device connected to it.
To me, these applications sending these multicast traffic is like saying to the multicast group "Hey I'm using Google Chrome", "Hey I'm about to update my Google Chrome", "Hey my Windows is not yet activated". From a security point of view, this is bad, real bad. Like why in the world would these things have to send multicast traffic if you haven't even told them to do so for a specific purpose?
With this in mind, I would like to kindly ask if anyone out there actually knows for what purpose was this design implemented and for what purpose would apps like the one I mentioned above would need to perform multicast communications.
networking windows-8 google-chrome multicast
asked Nov 27 at 3:26
Mystes
11
1
Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
– grawity
Nov 27 at 5:50
Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
– Mystes
Nov 27 at 6:18
1
The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
– Mystes
Nov 27 at 6:20
My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
– Austin Hemmelgarn
Nov 27 at 20:45
add a comment |
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
So I have DNS Client, IGMP, and UPnP all disabled in Windows 8 yet Windows applications such as Chrome, GoogleUpdate, and Windows Activation executable still tries so hard to send outbound UDP frames to 224.0.0.1 even though I just connected a modem with no Internet connection and no other device connected to it.
To me, these applications sending these multicast traffic is like saying to the multicast group "Hey I'm using Google Chrome", "Hey I'm about to update my Google Chrome", "Hey my Windows is not yet activated". From a security point of view, this is bad, real bad. Like why in the world would these things have to send multicast traffic if you haven't even told them to do so for a specific purpose?
With this in mind, I would like to kindly ask if anyone out there actually knows for what purpose was this design implemented and for what purpose would apps like the one I mentioned above would need to perform multicast communications.
networking windows-8 google-chrome multicast
asked Nov 27 at 3:26
Mystes
11
So I have DNS Client, IGMP, and UPnP all disabled in Windows 8 yet Windows applications such as Chrome, GoogleUpdate, and Windows Activation executable still tries so hard to send outbound UDP frames to 224.0.0.1 even though I just connected a modem with no Internet connection and no other device connected to it.
To me, these applications sending these multicast traffic is like saying to the multicast group "Hey I'm using Google Chrome", "Hey I'm about to update my Google Chrome", "Hey my Windows is not yet activated". From a security point of view, this is bad, real bad. Like why in the world would these things have to send multicast traffic if you haven't even told them to do so for a specific purpose?
With this in mind, I would like to kindly ask if anyone out there actually knows for what purpose was this design implemented and for what purpose would apps like the one I mentioned above would need to perform multicast communications.
networking windows-8 google-chrome multicast
networking windows-8 google-chrome multicast
asked Nov 27 at 3:26
Mystes
11
asked Nov 27 at 3:26
Mystes
11
asked Nov 27 at 3:26
Mystes
11
asked Nov 27 at 3:26
Mystes
11
asked Nov 27 at 3:26
Mystes
11
11
1
Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
– grawity
Nov 27 at 5:50
Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
– Mystes
Nov 27 at 6:18
1
The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
– Mystes
Nov 27 at 6:20
My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
– Austin Hemmelgarn
Nov 27 at 20:45
add a comment |
1
Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
– grawity
Nov 27 at 5:50
Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
– Mystes
Nov 27 at 6:18
1
The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
– Mystes
Nov 27 at 6:20
My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
– Austin Hemmelgarn
Nov 27 at 20:45
1
1
Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
– grawity
Nov 27 at 5:50
Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
– grawity
Nov 27 at 5:50
Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
– Mystes
Nov 27 at 6:18
Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
– Mystes
Nov 27 at 6:18
1
1
The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
– Mystes
Nov 27 at 6:20
The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
– Mystes
Nov 27 at 6:20
My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
– Austin Hemmelgarn
Nov 27 at 20:45
My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
– Austin Hemmelgarn
Nov 27 at 20:45
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.
answered yesterday
Mystes
11
New contributor
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Can you share what is what you found?
– Stese
yesterday
I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday
Malwarebytes antimalware to the rescue! :)
– Stese
yesterday
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.
answered yesterday
Mystes
11
New contributor
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Can you share what is what you found?
– Stese
yesterday
I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday
Malwarebytes antimalware to the rescue! :)
– Stese
yesterday
add a comment |
up vote
0
down vote
accepted
I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.
answered yesterday
Mystes
11
New contributor
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Can you share what is what you found?
– Stese
yesterday
I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday
Malwarebytes antimalware to the rescue! :)
– Stese
yesterday
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.
answered yesterday
Mystes
11
New contributor
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have confirmed that those were malicious traffic as not all those apps should be sending outbound multicast traffic.
answered yesterday
Mystes
11
New contributor
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
Mystes
11
New contributor
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
Mystes
11
answered yesterday
Mystes
11
11
New contributor
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Mystes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Can you share what is what you found?
– Stese
yesterday
I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday
Malwarebytes antimalware to the rescue! :)
– Stese
yesterday
add a comment |
Can you share what is what you found?
– Stese
yesterday
I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday
Malwarebytes antimalware to the rescue! :)
– Stese
yesterday
Can you share what is what you found?
– Stese
yesterday
Can you share what is what you found?
– Stese
yesterday
I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday
I don't have specifics on what infected my PC but it definitely starts as soon as I connect one of my network devices and it only happens with this device while it doesn't with the others. Did this on a Windows setup with multicast, IGMP, UpNP fully disabled on regedit, gpedit, network adapter settings; basically everywhere possible yet it's ignored as soon as I connect this device. So I suspect the device has already been pwned.
– Mystes
yesterday
Malwarebytes antimalware to the rescue! :)
– Stese
yesterday
Malwarebytes antimalware to the rescue! :)
– Stese
yesterday
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1378633%2fcan-anyone-tell-me-the-reason-as-to-why-windows-applications-have-to-send-data-t%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Do you have a sample of the specific UDP traffic that you're talking about, and can you attach it to the question somehow?
– grawity
Nov 27 at 5:50
Sadly I don't have a sample with me right now and I was able to find out about all of these through logs created by norton firewall.
– Mystes
Nov 27 at 6:18
1
The traffic however, is generated within a split second of detecting a change in network adapter due to connecting my modem to it. I suppose I'll get wireshark and get a packet capture uploaded.
– Mystes
Nov 27 at 6:20
My first guess is some form of network identification. 224.0.0.1 is the multicast address for all nodes in the local multicast domain (essentially, everything you can reach through symmetric (not NAT) routing).
– Austin Hemmelgarn
Nov 27 at 20:45