Quickfix: Is your printer printing garbage text every night after installing a Ubiquiti UniFi Dream Machine Pro? Disable Endpoint Scanner.

Quickfix: Disable Endpoint Scanner

  1. Browse to your UniFi dashboard.
  2. Scroll down to Internet Security → Network Scanners.
  3. Disable Endpoint Scanner.

Wasting toner, ink, and paper

This isn’t necessarily a photography tip but most studios and offices have workhorse printers for administrative tasks. We bought our HP Color LaserJet CP2025dn over a decade ago in 2008 and it’s been dutifully cranking away without a hitch ever since. That is until I upgraded Hamor Photography’s Internet firewall from a Ubiquiti UniFi Security Gateway (USG) to a Ubiquiti UniFi Dream Machine Pro (UDM-Pro).

And then like clockwork our trusty workhorse started emptying our paper tray by spitting out infinite garbage text every night:

OPTIONS / HTTP/1.0

random1random2random3

GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0

OPTIONS sip:nm SIP/2.0
Via: SIP/2.0/TCP nm;branch=foo
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>
Call-ID: 50000
CSeq: 42 OPTIONS
Max-Forwards: 70
Content-Length: 0
Contact: <sip:nm@nm>
Accept: application/sdp

The behavior severely annoyed my wife whenever she went to print her USPS shipping labels. The printer would immediately start printing queued garbage text if she refilled the paper tray without shutting the printer off and then back on again.

For me this wasn’t really a big deal because I could mitigate the problem by either turning the printer off overnight or by leaving by the printer tray empty. But I recognized these strings as scans from Nmap: the Network Mapper.

So my primary concern was how were security scans, sometimes used by hackers to detect and attack vulnerable computer servers, getting past my brand new firewall and entering my network.

And what if a large-format photographic printer that costs tens or hundreds of dollars per page started exhibiting this behavior? It could quickly bankrupt a photography or graphic design studio in this already troubling economic climate.

Reproducing the behavior

Just to confirm that the garbage text was indeed caused by Nmap I ran an Nmap scan myself. I installed Nmap on my MacBook Pro 16" using Homebrew and ran a scan against the printer myself.

brew install nmap
sudo nmap -A -v -Pn -T4 -p1-65535 172.16.82.147

A few minutes later the paper tray was empty with pages of the same garbage text I’d been seeing every evening. So now the task at hand was to figure out where the rogue nightly scan was coming from.

Isolating and confirming the behavior

My first assumption was that something on my network may have been opening up external Internet access to my printer via UPnP. But no unexpected UPnP ports were mapped. Then, as I started digging through the UniFi Dashboard for Port Forwarding configuration, I remembered that I enabled a Threat Management feature called Endpoint Scanner.

The purpose of Endpoint Scanner is to show what services are running on every device on your internal network. And Ubiquiti must be using Nmap to implement this functionality!

So, to confirm my suspicions, I logged into my UniFi Dream Machine Pro using SSH and ran tcpdump. And waited.

tcpdump -X -s4096 -i br10 host 172.16.82.147

Sure enough, that evening tcpdump confirmed that the firewall itself was running Nmap against the printer and was using the same text that was being printed.

03:02:21.427842 IP 172.16.80.1.41274 > Laserjet-F96DAE.lan-8lt.9999: Flags [P.], seq 1:54, ack 1, win 11, options [nop,nop,TS val 15549 5109 ecr 49825338], length 53.
0x0000: 4500 0069 eafa 4000 4006 54df ac10 5001 E..i..@.@.T...P..
0x0010: ac10 5293 a13a 270f 2e6f 403e bde9 e5de ..R..:'..o@>.....
0x0020: 8018 000b 0218 0000 0101 080a 0944 aac5 .............D...
0x0030: 02f8 463a 4745 5420 2f6e 6963 6525 3230 ..F:GET./nice%20.
0x0040: 706f 7274 7325 3243 2f54 7269 2536 4569 ports%2C/Tri%6Ei.
0x0050: 7479 2e74 7874 2532 6562 616b 2048 5454 ty.txt%2ebak.HTT.
0x0060: 502f 312e 300d 0a0d 0a P/1.0.....

03:03:44.010874 IP 172.16.80.1.41378 > Laserjet-F96DAE.lan-8lt.9999: Flags [P.], seq 1:224, ack 1, win 11, options [nop,nop,TS val 1555 03367 ecr 49907924], length 223.
0x0000: 4500 0113 1b89 4000 4006 23a7 ac10 5001 E.....@.@.#...P..
0x0010: ac10 5293 a1a2 270f 594a d081 c019 a378 ..R...'.YJ.....x.
0x0020: 8018 000b 1297 0000 0101 080a 0944 cb07 .............D...
0x0030: 02f9 88d4 4f50 5449 4f4e 5320 7369 703a ....OPTIONS.sip:.
0x0040: 6e6d 2053 4950 2f32 2e30 0d0a 5669 613a nm.SIP/2.0..Via:.
0x0050: 2053 4950 2f32 2e30 2f54 4350 206e 6d3b .SIP/2.0/TCP.nm;.
0x0060: 6272 616e 6368 3d66 6f6f 0d0a 4672 6f6d branch=foo..From.
0x0070: 3a20 3c73 6970 3a6e 6d40 6e6d 3e3b 7461 :.<sip:nm@nm>;ta.
0x0080: 673d 726f 6f74 0d0a 546f 3a20 3c73 6970 g=root..To:.<sip.
0x0090: 3a6e 6d32 406e 6d32 3e0d 0a43 616c 6c2d :nm2@nm2>..Call-.
0x00a0: 4944 3a20 3530 3030 300d 0a43 5365 713a ID:.50000..CSeq:.
0x00b0: 2034 3220 4f50 5449 4f4e 530d 0a4d 6178 .42.OPTIONS..Max.
0x00c0: 2d46 6f72 7761 7264 733a 2037 300d 0a43 -Forwards:.70..C.
0x00d0: 6f6e 7465 6e74 2d4c 656e 6774 683a 2030 ontent-Length:.0.
0x00e0: 0d0a 436f 6e74 6163 743a 203c 7369 703a ..Contact:.<sip:.
0x00f0: 6e6d 406e 6d3e 0d0a 4163 6365 7074 3a20 nm@nm>..Accept:..0x0100: 6170 706c 6963 6174 696f 6e2f 7364 700d application/sdp..
0x0110: 0a0d 0a ....

And the timestamp on the Endpoint Scan Data aligned with the time that tcpdump detected the Nmap scan.

“SOLVING” THE PROBLEM

  1. Browse to your UniFi dashboard.
  2. Scroll down to Internet Security → Network Scanners.
  3. Disable Endpoint Scanner.

I applaud Ubiquiti for implementing the Endpoint Scanner. But the feature is still in Alpha and can cause serious problems with printers. And the reason “solving” is in quotes is because this isn’t a problem with the Endpoint Scanner itself. It’s a long-standing issue with most printers.

While searching for answers I found countless posts over the past decade complaining about nmap causing garbage text to print. Most printers are designed to accept and print any data that is sent to them. So, when Endpoint Scanner runs nmap against a printer, the printer will print. Or, if a printer is directly connected to the Internet and a hacker scans it with nmap, it will print. Just as it was designed to do.

Since this is just how printers work there should be an Endpoint Scanner feature implemented to lists hosts you don’t want to scan. Or, since Endpoint Scanner determines the device is a printer after the first scan, the UniFi Dashboard could automatically configure itself to not fully scan that MAC address again.

So, until Ubiquiti addresses this issue, I’ll be disabling Endpoint Scanner and will only enable it temporarily when I know that all my printers are turned off.

Originally published on Hamor Photography Blog on July 3, 2020.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sean Sosik-Hamor

Sean Sosik-Hamor

Cyber Security Engineer, Data Center Engineer, Photographer, Event Logistics, and Event Networks