on 12-01-2017 15:34
The other day I got a letter about a device on my home network responding to Multicast DNS (mDNS) queries from outside my home network.
Other people have received similar letters and also letters discussing Netbios, and SSDP vulnerabilities as well.
These letters come as a result of Virgin Media being contacted by a third party organisation -shadowserver.org Who send queries out to peoples public facing IP's and see if they get a response back.
Why are Shadowserver doing this?
Quite simply to enable the closing down of exploits that others can use to mount DDOS attacks against internet users.
Devices in the DMZ
In several cases in the mDNS threads we see devices have been placed in the DMZ to facilitate some aspect of internet connectivity. In several cases these have been PS4's in my own case it was a PC. The problem is that if a device is in the DMZ - all unsolicited traffic is sent to that device - UNLESS there is a separate port forwarding rule in place. This exposes any flaw in the way a device handles incoming SSDP and mDNS queries from the internet.
False positive?
Several people have suggested that the letters are sent out based on false positives. Based on my own experience, I would say this is not correct. Contacting Shadowserver, I was sent the log of what they found from my IP. I recognised the culprit straight away as being Airserver, which allows me to stream from my Ipad to my PC. However the logs can be confusing to the average user.
Port blocking?
Advice from Virgin Media suggests blocking inbound ports in the firewall section. Unfortunately the Superhub 3 does not have any rules to do this, and some people advise that turning up the firewall breaks their gaming experience. So we need to consider an alternative method.
Using Port Fowawrding to drop the inbound traffic.
Inbound traffic is evaluated in the following order.
NAT table entry - response to outbound traffic?
Port Forwarding rule
Device in DMZ
So by setting up port forwarding rules to an IP address that doesn't have anything connected we can drop the inbound traffic from the internet side of the network.
This won't affect normal LAN traffic, so devices on the same LAN can still find each other. I've already done this with mDNS and my IPad can still happily find Airserver on my PC but Shadowserver can no longer find it.
This help article by Virgin Media describes for to Port Forward on the different Hubs
As noted above rules should be set according to the Vulnerability or you can preempt them. And set them all up.
I currently have mDNS - Port 5353 UDP forwarded to 192.168.0.253
SSDP - Port 1900 UDP forwarded to 192.168.0.253
Will this stop a device connecting to the Internet?
No - these services are meant for use on the Local network only. Devices connecting to the net use other outbound ports to do so.
Ravenstar68
Note: Windows Firewall makes it possible to limit a system to allowing inbound connections from the same LAN. I've actually done this with Airserver and a number of other mDNS listeners. However as this won't help people who are not using Windows devices, I feel port forwarding offers the easiest option.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
on 31-01-2017 19:30
I have had five letters regarding multicast dns vulnerability. I have written to them today and see what they have to say as you cannot contact them any other way.
on 01-02-2017 15:01
If anyone's interested here are my port forwarding rules on the Hub 3
Note: The hub 3 is unusual in that while most other devices specify the external port first, it instead asks for the internal IP and port first.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
on 11-02-2017 14:42
Ok I set up port forwarding but on 192.168.0.253
What should I do with port triggering ?it is empty.
I got DMZ on 192.168.0.19 for my xbox.
I have amazon fire tv ,3 android , 2 laptop
on 11-02-2017 14:54
Leave Port triggering alone.
The Port forwarding is to stop SSDP and mDNS queries getting to the device in the DMZ from the internet.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
on 27-02-2017 14:28
hello ravenstar, im still on superhub 1, so i dont have the seting like in ur screenshot with local port range 65535-65535 so is it just the case of port forwarding like below? does it still work out fixing the problem, thanks
name portrange Protocal ip address
SSDP 1900 UDP 192.168.0.253
mDNS 5353 UDP 192.168.0.253
on 27-02-2017 15:35
That will work as long as there's no device currently using that IP address. As the hub will try to send packets there and won't be able to so it'll drop them.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
on 27-02-2017 15:59
thank you for the fast reply and for puting me at ease
on 11-03-2017 14:44
As have others, I've received the mDNS letter. A Shodan IOT search confirms mDNS port open on my public IP.
However, a nmap scan on my network doesn't show any devices listening on the port and I don't have any port forwarding rules at all in the SuperHub3.
The only thing I can think of is that I've only recently removed my raspberry pi from the DMZ, so maybe that showed up...
I'm thinking as nmap shows no mDNS ports listening and there aren't any firewall rules I can modify that there's not a lot I can/need to do..!?! Frustrating that you can't apply deny rules to the inbound rules on the firewall.
30-03-2017 22:51 - edited 30-03-2017 22:59
Sorry to drag this up.
Don't Virgin (Yes they do - Just checked) Block the netbios ports from 135 - 139 !!!
And i am curious as to why i received a letter saying i had been compromised on my own network (DId make me laugh) !!
I am running a ps3 media server program which shares all my media and no one can access this unless they are on my subnet.
I know my way around a cisco network / switches and company routing.
Just looked at Shadowscan. WTG geniuses. Pop out the information that there is between 4 and 8 million DNS Amp attack boxes that are still alive. You only need a handful to completely cripple a website.
And to make it worse, they told you what countries have the highest and what port. I always wondered where some idiots got their IP ranges from for Amp Scanning.
Anyway, if it helps, i binned the letter and ignored it, as for me, it was a mere informational.
EDIT - For anyone who has a linux box, just enter then following to see if your box has NTP enabled and running.
root@sd-104134:~# ntpdc -n -c monlist 192.0.2.1
on 31-03-2017 00:03
Actually the Netbios Trio of Ports is 135 139 and 445 - and if you check you'll find Virgin lifted the block a couple of years ago.
Ravenstar68
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks