$this = (new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


A curious UDAP packet from DirecTV hardware

Posted December 05, 2017 by shaun

Today I spotted an entry in the firewall log that's sent me down a bit of a rabbit hole. I default-deny traffic between my different network segments, and I filter most of the mundane stuff before it's logged, so this caught my eye:

Deny UDP 169.254.5.108:17784 255.255.255.255:17784 in via dc1

Apparently port 17784 is the default port for the Universal Discovery & Access Protocol, or UDAP, a network protocol so obscure it doesn't even have a Wikipedia page. UDAP seems to be spoken mostly by LG smart TVs (UDAP originated at LG, as far as I can tell) and by a now-defunct home audio streaming product called a SqueezeBox. I don't own any of this equipment, so naturally I was curious what device the packet came from.

After running tcpdump for a couple of minutes, I came up with enough multicast packets from 169.254.5.108 to at least figure out the source of the traffic. This standard UPNP packet broadcast to port 1900 gives it away:

17:35:57.639091 18:16:c9:aa:bb:cc > 01:00:5e:7f:ff:fa, ethertype IPv4 (0x0800), length 392:
 (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 378)
    169.254.5.108.49152 > 239.255.255.250.1900: [udp sum ok] UDP, length 350
        0x0000:  4500 017a 0000 4000 0411 d60e a9fe 056c  E..z..@........l
        0x0010:  efff fffa c000 076c 0166 91b0 4e4f 5449  .......l.f..NOTI
        0x0020:  4659 202a 2048 5454 502f 312e 310d 0a48  FY.*.HTTP/1.1..H
        0x0030:  6f73 743a 2032 3339 2e32 3535 2e32 3535  ost:.239.255.255
        0x0040:  2e32 3530 3a31 3930 300d 0a43 6163 6865  .250:1900..Cache
        0x0050:  2d43 6f6e 7472 6f6c 3a20 6d61 782d 6167  -Control:.max-ag
        0x0060:  653d 3138 3030 0d0a 4c6f 6361 7469 6f6e  e=1800..Location
        0x0070:  3a20 6874 7470 3a2f 2f31 3639 2e32 3534  :.http://169.254
        0x0080:  2e35 2e31 3038 3a34 3931 3532 2f30 2f64  .5.108:49152/0/d
        0x0090:  6573 6372 6970 7469 6f6e 2e78 6d6c 0d0a  escription.xml..
        0x00a0:  4e54 3a20 7572 6e3a 7363 6865 6d61 732d  NT:.urn:schemas-
        0x00b0:  7570 6e70 2d6f 7267 3a73 6572 7669 6365  upnp-org:service
        0x00c0:  3a4f 5344 5365 7276 6963 653a 310d 0a4e  :OSDService:1..N
        0x00d0:  5453 3a20 7373 6470 3a61 6c69 7665 0d0a  TS:.ssdp:alive..
        0x00e0:  5365 7276 6572 3a20 4c69 6e75 782f 332e  Server:.Linux/3.
        0x00f0:  332e 382d 332e 302c 2055 506e 502f 312e  3.8-3.0,.UPnP/1.
        0x0100:  3020 4449 5245 4354 5620 4a48 5550 6e50  0.DIRECTV.JHUPnP
        0x0110:  2f31 2e30 0d0a 5553 4e3a 2075 7569 643a  /1.0..USN:.uuid:
        0x0120:  4449 5245 4354 5632 5043 2d4d 6564 6961  DIRECTV2PC-Media
        0x0130:  2d53 6572 7665 7231 5f30 2d52 4944 2d30  -Server1_0-RID-0
        0x0140:  3233 3235 3836 3136 3632 343a 3a75 726e  23258616624::urn
        0x0150:  3a73 6368 656d 6173 2d75 706e 702d 6f72  :schemas-upnp-or
        0x0160:  673a 7365 7276 6963 653a 4f53 4453 6572  g:service:OSDSer
        0x0170:  7669 6365 3a31 0d0a 0d0a                 vice:1....

It's one of my DirecTV boxes, which I've hooked up to the network to watch on-demand programming. I assume the OSDService it advertises over UPNP is an On Screen Display with some API into the channel listing. But I've had DirecTV for some time, and grepping the firewall log archives didn't give any other hits for port 17784, so this looks like new behavior. I set up another capture but haven't yet caught a subsequent UDAP packet to inspect its contents.

And now item n + 1 on my Stuff To Do Someday list is to explore the DirecTV device and figure out how to talk to it. For my own reference, someone appears to be playing with UDAP in Python at gutomaia/lgudap and there's a Perl module at robinbowes/net-udap.


Recent articles

📰 Resolving portmaster error "pkg-static: automake-1.16.1 conflicts with automake-wrapper-20131203"

📰 Resolving LibreNMS error "RuntimeException: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths"

📰 Unusual HTTP POST traffic from 75.108.75.42

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Russian/Ukrainian Referer Spam Campaign IPs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

📰 Installing PHP 7.2 with pthreads on CentOS 6

📰 LocalStorage kills another site, or: Working around Zap2it's new interface

▲ Back to top | Permalink to this page