Menu
Reply
  • 2
  • 0
  • 0
Marsonhewitt
Joining in
180 Views
Message 1 of 3
Flag for a moderator

Multicast DNS Letter

Had a letter today saying I've had a device on my network with a potential vulnerability.

I dont recognise the IP address given on the letter?

Ive had my Ps4 in a DMZ for a while but have now de activated this following this letter. other than that I haven't a clue what has caused this as I said above the IP on the letter doesn't match any in my house.

Any help would be appreciated.

Thank,

Ryan

 

0 Kudos
Reply
  • 9.02K
  • 295
  • 963
Forum Team
Forum Team
143 Views
Message 2 of 3
Flag for a moderator

Re: Multicast DNS Letter

Hello Ryan

 

The last vulnerability was picked up on the 18th of September, our IP addresses are dynamic so do change from time to time but as it happens in this case you still have the same one now, you can see it here hopefully https://www.whatismyip.com/ Please remember it is your public IP address not the local one that your Ps4 has.

One of our Super dooper users has kindly created a very helpful post about it, I would thoroughly recommend a read mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

 

Thank you

Nicola

Virgin Media Forum Team
0 Kudos
Reply
  • 7
  • 0
  • 2
GraemeMcC
Tuning in
93 Views
Message 3 of 3
Flag for a moderator

Re: Multicast DNS Letter

I have now received a 3rd warning letter from VM Internet Security (VMIS) in Swansea about the alleged POTENTIAL mDNS vulnerabilies that MAY exist in my system. Such joy.
 
On receipt of the 1st letter (in July), I had a look at the various posts within this forum, then I took the precaution of attemtping to block port 5353 via the firewall settings of my Arris Hub 3.0. That experience concluded that the router's GUI is not very user-friendly in the way it tries to explain the input fields and the terminology it presents to the user. My main conclusion was that the Hub3.0 cannot actually block the incoming ports (via its GUI settings) so all I could try was port-forwarding to a vacant destination where, hopefully, inbound traffic could be lost and dumped.
 
I took the warning seriously enough (at first) because:
 
I do have a streaming device within my system, a Logitech Squeezebox which extracts music files from one of my Synology NAS boxes (then feeds the output to the DAC in my HiFi system). That does "phone home" for updates and sporadically fires itself awake, so I could point a finger of suspicion that way. However, the Logitech manuals state that the 3xPorts that the Squeezebox server system uses are not via 5353 and do not involve DNS.
 
My NAS boxes also phone home for auto-updates to their DSM software, however Synology declare that since DSM 5.3, potential mDNS issues have been resolved. I am on DSM 6.x, so should have no cause for concern.
 
However, Windows and Linux OSes phone home for their updates.
 
DMZ mode is not enabled so, to the best of my knowledge, none of my network devices should be able to by-pass the router's firewall.
 
I also have a Virgin TiVo box connected directly to the broadband fibre network, outside of my Router/internal network. I have absolutely no idea if that is on the same external broadband IP address... That seems to have a mind of its own and seems to have an intense dislike of BBC iPlayer streams or on-demand/catchup viewing use.
 
On receipt of the 2nd warning (August), I noted that the Hub3.0 was set for port-filtering (not forwarding). So I invoked a new set of Port-Forwarding rules and wrote to Swansea, stating my Hub settings and requesting a bit more detail about the potential problems - some actual times, responsive MAC addresses, ports tested, etc, would be a start. VMIS acknowledged my request (or my "complaint" as they interpreted it) and stated that they would phone mme to discuss, within 14 days. That conversation has yet to happen and is unlikely to do so unless they catch me in at home - I cannot see the point in giving them a mobile or office number if I am not present to be sat at a network terminal to interogate the Hub's GUI. Where is their direct phone number so that I can call them when I can be sat at my terminal?
 
Then, VMIS contacted me with a 3rd warning letter (late September) declaring an event on a Wednesday. At least that helps to isolate the desktop on XP (which is only fired up in that mode on Thurs/Fri - and don't start preaching to me about still using XP - it has its purposes on an old PC which runs EAC-ripper and my Polar-HRM data-logger nicely, but otherwise does not have the hardware to support Win7+ nor run a virtual Windows from Linux) however that device would otherwise be running Linux Mint. Also "on/sleeping" would likely have been a Win7 laptop and a Mint netbook (as well as the Squeezebox and NAS boxes, all snoozing in WOL mode). The warning also enlightened me to the fact that I have a dynamic external IP address. So, if most of us have dynamic connections, how do the ISPs pin-point us? For all I know, the finger of blame could be pointing in the wrong direction...
 
Anyway, I have now applied port-triggering AND port-forwarding per https://community.virginmedia.com/t5/Security-matters/mDNS-and-SSDP-vulnerabilities-a-suggestion-for...
AND

https://help.virginmedia.com/system/templates/selfservice/vm/help/customer/locale/en-GB/portal/20030...
 
The deeply hidden key phrase seems to be "Trigger Range: the trigger range consists of the range of outgoing ports that will be monitored to trigger the incoming port forwarding rule". To me, that reads as the firewalls monitors outgoing traffic via a specified port. If it spots any, then it will apply the port-forwards rule for inbound traffic". Surely that is all the wrong way around? It needs to see what is arriving in-bound at an external port and divert it to a dead end internal destination. Nomenclature aside, it would appear that you need Port Triggering rules in place before any Port Forwarding rules can be invoked. Do correct me if I'm wrong. Then do make the set-up documents clearer. My GUI makes no mention of the interdependence between Triggering and Forwarding...
 
My GUI offered different setup options and input descriptions, so I am still unsure as to what the router's firewall thinks it is supposed to be doing. Fingers crossed.
 
 Generally I was happy with my system - it works for me, is secure enough for me. But I have had Hub3.0 foisted upon me by Virgin - funnily enough, just before all these warnings started to arrive. The Hub seems to be meant to be left switched on 24/7: my previous setup, with a broadband modem and a DLink Router worked fine for me - I could switch the modem off leave the router on so that my internal ethernet/WiFi networked. And switch everything off when out of the house. It rebooted in <30 secs. Not ~3mins per Hub3.0. And the old system did not proffer guest-networking. Fine by me. And the alleged speed upgrades have not really materialized to my benefit (I do not stream movies or download torrents, etc) - do I really need a Hub3?
 
That suggests to me that the primary suspect in all this game is either the Hub3 or their TiVo box - why haven't Virgin distributed these pre-set to block the mDNS (and any other known) vulnerability as default, out-of-the-box? I appear to have been given one which is poorly configured by default, by them!
 
If The Shadowserver Foundation are really that concerned about mDNS vulnerabilities, then they need to be a bit more pro-active than just firing out warning notes to the ISPs - how many end-users out here are network administration savvy and have all the tools and knowledge to sort themselves out? As many as 1%? I doubt it. This issue is not going to resolve itself very easily - the internet police need to re-think their strategy.
 
Likewise VM Internet Security - if you are concerned enough to write to us all monthly, then rather than just waving yellow cards at us all, have you not twigged that most of us haven't the foggiest idea about how to tackle the problem and find the root cause, if there actually is one. Vague explanations, such as this, https://community.virginmedia.com/t5/Security-matters/Warning-Letters-from-Internet-Security-an-expl...
are not heplful. VMIS should be interogating Shadowserver and pin-pointing the users' problems if they see trends setting in.
 
Personally, I couldn't give a monkeys - I haven't yet encountered an operational problem despite having this alleged "vulnerability" if it does exist in my system. It is not directly affecting me yet. For all I know, this could be yet another scam, to scare us into buying software or services to check our networks with. How many people are actually affected by this issue? Is it just those of us here on the forum? 10s? 100s? 1000s? Higher?
 
Come on Virgin, sort yourselves out. You are increasing the package fees yet again so at least give us value for money and proper technical support - not a worthless F-Secure Security pack which dropped XP support, a TiVo which shirks iPlayer and a flawed Hub3 which cannot be correctly configured via its GUI. Does the Hub3 firewall actually block any ports at all, or is it full of open holes? "Chocolate teapot" springs to mind... I'd like to see it listing which ports can be (or are actually) open, as well as those with rules to divert or filter.  
 
Rant nearly over: if anyone has had confirmation of how to actually resolve this, then VMIS should be posting a page of how-to facts - not vague hints - to close off the vulnerabilites, instead of leaving us to trawl aimlessly through the forums reading rants like this, but not finding actual solutions. Please give us a click-by-click example from the GUI, and in plain English, of exactly how to shut off port 5353 for each variant hub and each/current software version. Inbound and outbound please, not wishy-washy terms like start range/end range/target/etc.
 
Right- I'd best be off to find my old modem and D-Link DIR615, if only to save VMIS some postage charges... That, or a new ISP...

0 Kudos
Reply