I would be interested to know more too. Received the letter today but it seems very vague. Happy to do what they suggest and block the port but how can I know that my hardware in the house will continue to function?
The Virgin website states they will consider 'other means' if ignored..... Really???
you have received a letter/email from Virgin Media about this vulnerability, it is important that the issue is resolved within 5 days of the receipt of this communication, otherwise we may have to consider further measures including suspending your Internet service.
This is the first time in 8 years of being a customer regarding anything like this, and in all honesty, the total vagueness of the letter wasn't;t exactly helpful.
I've queried it on twitter, but the guys at ShadowServer have just been rude and unhelpful.
My network is managed quite well and have never had issues. I can't stealth port 5353 as there's not way to configure it on the SH2ac. I was more surprised to see that all of the port forwarding and router settings I spent days inputting have all disappeared, I assume this happens every time VM do something to the router, so what's the point in port blocking 5353 or any other port?
I have 21 devices on my network, this is a headache I'd rather not have.
From what I understand, I have a couple of options...
- VPN all of my traffic in and out - Hardware VPN - By a router which I can actually manage without the risk of VM screwing it up at will
I assume their threat of "further steps" would involve VM forcing my router into a higher firewall setting. Ironic how VM tell us to do this to protect from some threat and then use the same threat to modify your hardware without your knowledge. Irony?
The only thing that has changed recently are the Investigatory Powers Bill (IPBill), VM network changes for the V6 Box and I'm part of the VM Wifi test area. The latter I intend to opt-out of asap.
I got the same letter from Virgin on 29th September 2017, referring to a scan that took place on 9th September 2017. I performed an external scan (from an AWS machine), and nothing came back.
I recently bought a Fingbox device for my network. Now... the way this device manages to do what it does on your network may raise your eyebrows somewhat... but it did alert me to a computer on my network that was allowing 5353/UDP through the firewall over uPnP.
I suspect that the scan took place while some particular piece of software was running... detecting the cause now is going to involve an awful lot of testing and trial & error.
Be aware that the website mentioned in the letter, virginmedia.com/mdns is full of inaccurate and misleading advice.
"The easiest way to deal with an Multicast DNS vulnerability is to configure your firewall to block port 5353."
There is no way to do this on Virgin Media routers! Virgin Media routers do not have a configurable firewall. The article merely instructs you on how to delete existing port forwarding rules - this is not the same thing as configuring a firewall to drop requests.
In many cases, there will be no such port forwarding rules anyway, as the port will have been opened up to a specific device via uPnP and will be invisible to the firewall. The correct advice is to tell customers to disable uPnP... however, that will most likely result in a lot of popular network services suddenly becoming disabled.
"If you have a device configured in your firewall's DMZ that does not use its own firewall, it is crucial that you disable this option immediately."
No, no, no... there are plenty of consumer devices designed to be placed into a DMZ that are far more secure than a common computer. Examples are an Xbox or PlayStation.
"How do I know I’m now safe?
If you have followed the above advice you can be confident that you have resolved the issue."
Wrong! This is the worst kind of computer advice imaginable. Consider the fact that the article has totally missed the uPnP situation... you'd still be vulnerable!
The only way to know you are safe is to perform the appropriate port scan from a computer external to your network. I'd love to go into more detail here, but it would likely result in my post being deleted.