Microsoft Windows XP, Linksys DSL Routers, Universal Plug and Play, RIP, and the "Internet Gateway Device Discovery and Control Client"

Avoid unnecessary complexities when using Windows XP with certain gateway devices

Joe St Sauver, Ph.D.
Director, User Services and Network Applications
joe@uoregon.edu

The observation that there seemed to be an awful lot of network activity on a quiescent home network connection at an acquaintance’s home lead me to notice something rather interesting (in a horrifying sort of way) about Windows XP when used in conjunction with certain Linksys DSL routers.

As you may already know, "Universal Plug and Play" (UPnP) permits your PC to recognize and manage standalone external devices.

Microsoft’s enthusiastic overview of UPnP is available online at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/evaluate/upnpxp.asp After reading it, you may be convinced that UPnP is the best thing to come along since sliced bread. But as we’ve previously mentioned, UPnP has some grave issues. For example, in the Winter 2002 issue of Computing News, we provided a heads-up about serious UPnP security issues (http://cc.uoregon.edu/cnews/winter2002/xp_hole.html), and included a pointer to a patch for that vulnerability. A more general discussion of UPnP vulnerabilities is also available at Steve Gibson’s excellent web site at http://grc.com/unpnp/unpnp.htm

Today, however, we’d like to alert you to one specific example of how running UPnP on your PC can lead to unintended, unnecessary, and undesirable network behavior. You need to be concerned about this if you happen to have the following setup:

• a Windows XP, with UPnP enabled (as it is out of the box)

• a Linksys BEFSR41 DSL router (this is Linksys’s popular combination firewall/4 port ethernet switch) with a relatively current firmware revision with UPnP Service enabled, and

• you use the Windows XP Network Configuration Wizard to set up your network connection

If you have this setup and use the Configuration Wizard (as many folks will), then Windows XP will try to "help" you by configuring your PC to talk to your DSL router via the Internet Gateway Device Discovery and Control Client, Internet Connection Sharing (ICS) and UPnP. See, for example:

• http://www.microsoft.com/windowsxp/home/using/productdoc/en/hnw_dc_understanding.asp
• http://www.smallnetbuilder.com/Sections-article21-page7.php

In most cases, having XP talk to your DSL router via ICS and UPnP is both completely unnecessary and highly inappropriate.

The DSL router should handle "connection sharing" at the hardware level (it does include a four-port integrated ethernet switch after all!), and the PC should need to do nothing more than shovel packets out its network interface card directly to the DSL router—no additional network shim need be in the path.

This problem is exacerbated when you throw the Windows XP RIP Listener service into the mix. RIP is a primitive and chatty routing protocol that is completely unnecessary for a typical simple home network consisting of a few PCs simply connected to a single shared DSL line via a Linksys DSL router/switch.

Are you an XP user with a DSL router? Worried that you might be configured this way? If you’re not sure of your configuration, you can check it by following the steps outlined below. (As always, before making any changes to your system, make sure you have a good backup in case you run into problems and want to back those changes out.)

1. Go to Start—> Settings-—> Control Panel—> Add or Remove Programs, then click on Add/Remove Windows Components in the left-hand column. When the Windows Components window comes up, scroll down and click on the Network Services line, then click Details.
2. Do you see Internet Gateway Device Discovery and Control Client selected? If so, clear that check box.
3. Do you see RIP Listener selected? If so, clear that check box.
4. Do you see Simple TCP/IP Services selected? If so, clear that check box.
5. Do you see Universal Plug and Play selected? If so, clear that check box.
6. Click Next, as needed, to get to Finish (you’ll need to reboot if you’ve made any changes).

You may also want to ensure that the SSDP Discovery Service and the Universal Plug and Play Device Host are stopped and disabled in Services. To do so, go to Start—> Settings—> Control Panel. Double-click Administrative Tools, then double-click Services and scroll down until you can double-click on SSDP Discovery Service. Make sure it is listed as Startup type: Disabled and Service Status: Stop. Repeat this process for the Universal Plug and Play Device Host service.

As you install service packs or hot fixes to your system, you may want to check to make sure that these changes don’t get inadvertently reversed during the patching process.After you’ve cleaned up your PC, you should check your Linksys DSL router’s configuration to ensure that Universal Plug and Play is also disabled there.The easiest way to do this is via a web browser running on a networked PC connecting through your Linksys DSL router. From that PC, open Internet Explorer or Mozilla, and then go to the address http://192.168.1.1 (this is a "private network address" which will only be available to systems connecting from behind your DSL router).

The router’s UPnP’s setting is located on the Password tab (for more information on this, see page 54 of the BEFSR11 user’s guide, available at ftp://ftp.linksys.com/pdf/befsr11_befsr41ug.pdf ).

While use of a DSL router that does NAT (such as the Linksys* DSL router mentioned in this article) eliminates many external attacks that may target your PC, it’s still probably a good idea to also use a bidirectionally functional software firewall product such as ZoneAlarm on your home PC, too (see http://www.zonelabs.com/store/content/home.jsp).

*Cisco Systems recently purchased Linksys. See details at http://news.zdnet.co.uk/story/0,,t269-s2132250,00.html