New Member
Posts: 7
Registered: ‎05-07-2018

Does the UBNT Discovery Protocol face the internet?

I enabled the UBNT Discovery protocol and it is will accept requests from the internet (0.0.0.0/0) but I checked the ip address on shodan.io but it only showed the other services I have open to the internet. I have checked shodan.io before and it can scan for the UBNT Discovery protocol. Any suggestions?

Veteran Member
Posts: 7,822
Registered: ‎03-24-2016
Kudos: 2037
Solutions: 899

Re: Does the UBNT Discovery Protocol face the internet?

afaik, discovery is a broadcast based protocol, which isn't passed by internet routers

Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?

You can disable discovery on a per-interface basis (which you should do for WAN interfaces), but you also probably want to be using a "local" firewall rule set to block management access to the router from the WAN side as well.

New Member
Posts: 7
Registered: ‎05-07-2018

Re: Does the UBNT Discovery Protocol face the internet?

Sorry if I wasn't clear. I'm not asking how to disable the UBNT Discovery protocol. I'm asking why is the procol not being detected on shodan.io when I enter the router's public ip address.

Screen Shot 2018-05-08 at 8.09.53 AM.png
Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?

[ Edited ]

@Linux512 wrote:

Sorry if I wasn't clear. I'm not asking how to disable the UBNT Discovery protocol. I'm asking why is the procol not being detected on shodan.io when I enter the router's public ip address.


I just did a bit of experimenting, it looks like it only responds if the source IP address is on the same subnet. That said even if it didn't have this check, chances are the tool you're using to scan isn't going to send the right magic to the port to receive a response.

 

Still worth firewalling though (with a default deny to protect any other services running on the router too) to protect the router in case any vulnerabilities are ever found in that service, etc.

 

echo -n "\x01\x00\x00\x00" | nc -uw1 192.168.1.1 10001 | hexdump -C

If you want to play, that is the magic needed to elicit a response where 192.168.1.1 is the IP of the router. Note the built in version of nc on EdgeOS (the busybox version) doesn't support the -u flag for UDP so won't work.

 

Also, looks like what I said earlier was slightly wrong. The disabling per-interface is for whe you do "show ubnt discover", not for the server. You can only disable the entire server, or use the firewall if you want to block only from a specific interface.

New Member
Posts: 7
Registered: ‎05-07-2018

Re: Does the UBNT Discovery Protocol face the internet?

[ Edited ]

If it only responds to requests from ip addresses on the same subnet then why are devices responding to shodan.io's requests? Go sign up for an account and take a look. https://www.shodan.io/search?query=Ubiquiti+country%3A%22US%22+port%3A%2210001%22

Screen Shot 2018-05-08 at 10.50.09 AM.png
Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?

Ah I follow now. I only tested with EdgeOS. Perhaps AirOS behaves differently. I notice the devices you've got listed there are all AirOS go figure.

Veteran Member
Posts: 7,822
Registered: ‎03-24-2016
Kudos: 2037
Solutions: 899

Re: Does the UBNT Discovery Protocol face the internet?

Even on a LAN, the ER probably won't respond to UDP10001 packets.

 

Received packets just add devices to the "my neighbors" list, but remain unanswered

 

The ER itself also sends out its own discoveries, these packets are unrelated to received packets.

 

At least, that's how LLDP and CDP sort of work.

New Member
Posts: 7
Registered: ‎05-07-2018

Re: Does the UBNT Discovery Protocol face the internet?

New Member
Posts: 7
Registered: ‎05-07-2018

Re: Does the UBNT Discovery Protocol face the internet?

I ran the following command but I didn't get any reply. Looking at the command it seems like it should work in theory. I downloaded the Ubiquiti Device Discovery Tool and it was able to get a reply from the EdgeRouter. Could you link to the documentation where it says that the Ubiquiti Discovery Protocol only works on the LAN side?

echo -n "\x01\x00\x00\x00" | nc -uw1 192.168.1.1 10001 | hexdump -C
Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?


@Linux512 wrote:

I ran the following command but I didn't get any reply. Looking at the command it seems like it should work in theory. I downloaded the Ubiquiti Device Discovery Tool and it was able to get a reply from the EdgeRouter. Could you link to the documentation where it says that the Ubiquiti Discovery Protocol only works on the LAN side?

echo -n "\x01\x00\x00\x00" | nc -uw1 192.168.1.1 10001 | hexdump -C

I assume 192.168.1.1 is the IP of your router? Note some shells might handle escaping differently, to check you can run this and should see the following output:

 

$ echo -n "\x01\x00\x00\x00" | hexdump -C
00000000  01 00 00 00                                       |....|
00000004

If you see anything different then you might have to adjust the echo to account for your shell.

 

I don't think there's any documentation anywhere on the discovery tool, this is just what I've found while testing. I tried the command against an AirOS M5 device and it replied even on a different subnet, so looks like only the EdgeOS implementation of ubnt discovery limits it to the local subnet. EdgeSwitches also reply on different subnets too.

New Member
Posts: 7
Registered: ‎05-07-2018

Re: Does the UBNT Discovery Protocol face the internet?

[ Edited ]

From my Raspberry Pi.

echo -n "\x01\x00\x00\x00" | hexdump -C
00000000  5c 78 30 31 5c 78 30 30  5c 78 30 30 5c 78 30 30  |\x01\x00\x00\x00|
00000010
Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?

Yeah that's your problem. zsh interprets it as intended.

 

Try echo -ne instead of echo -n, a quick test with bash indicates that does what's needed.

New Member
Posts: 7
Registered: ‎05-07-2018

Re: Does the UBNT Discovery Protocol face the internet?

echo -ne "\x01\x00\x00\x00" | hexdump -C
00000000  01 00 00 00                                       |....|
00000004
Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?

Yeah that's right now, you should be able to use that with the nc to actually query a device now. Just take the first command I shared and add the "e"

Veteran Member
Posts: 7,822
Registered: ‎03-24-2016
Kudos: 2037
Solutions: 899

Re: Does the UBNT Discovery Protocol face the internet?

On 2nd look, it seems to me udp10001 discovery protocol does work on the internet.

However, most ER-Xes at shodan.io also have GUI exposed, so I guess those are all misconfigured:  The wizard creates WAN_LOCAL ruleset, which most likely seems to be removed, this exposes both GUI/CLI access as well as discovery

Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?


@16again wrote:

On 2nd look, it seems to me udp10001 discovery protocol does work on the internet.

However, most ER-Xes at shodan.io also have GUI exposed, so I guess those are all misconfigured:  The wizard creates WAN_LOCAL ruleset, which most likely seems to be removed, this exposes both GUI/CLI access as well as discovery


Have you got an example of an EdgeRouter showing up with 10001 responding on shodan? I couldn't reproduce it answering to non-local addresses in my testing (unlike other ubnt products which don't have that check).

Veteran Member
Posts: 7,822
Registered: ‎03-24-2016
Kudos: 2037
Solutions: 899

Re: Does the UBNT Discovery Protocol face the internet?

Double clicking on ER item in Shodan shows open ports detected, for sure 10001 is one of them

Most of the times, NTP is also open , also caused by lack of WAN_LOCAL rules.

 

btw:  non of ERs I have in field are visible.  Or at least only show ports mapped to internal stuff

Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: Does the UBNT Discovery Protocol face the internet?


@16again wrote:

Double clicking on ER item in Shodan shows open ports detected, for sure 10001 is one of them

Most of the times, NTP is also open , also caused by lack of WAN_LOCAL rules.

 

btw:  non of ERs I have in field are visible.  Or at least only show ports mapped to internal stuff


Ah yeah I missed that link initially. That is really strange, because i can query AirOS devices across subnets (inside my firewall), and I can query EdgeOS devices on the local subnet (again, inside my firewall), but if I try and query an EdgeOS device across subnets (still inside my own network though!) - no response.

 

It doesn't seem to be a firmware version thing either, and yet I can query the ones that appear on Shodan fine... Very strange...

Senior Member
Posts: 2,568
Registered: ‎03-23-2008
Kudos: 514
Solutions: 18

Re: Does the UBNT Discovery Protocol face the internet?

I was trying shodan with airOS radios.  It seems like if I started tcpdump scanning for only port 10001 on those radios, shodan did not need to send a packet with that port in it, but still was able to grab the Discovery data and display that port open???

Best Regards ... Joe

If the communication industry had been built on the backs of yes-men,
we would be submitting our forum posts at the telegraph office in town.