cancel
Showing results for 
Search instead for 
Did you mean: 

mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

ravenstar68
Very Insightful Person
Very Insightful Person

The other day I got a letter about a device on my home network responding to Multicast DNS (mDNS) queries from outside my home network.

Other people have received similar letters and also letters discussing Netbios, and SSDP vulnerabilities as well.

These letters come as a result of Virgin Media being contacted by a third party organisation -shadowserver.org  Who send queries out to peoples public facing IP's and see if they get a response back.

Why are Shadowserver doing this?

Quite simply to enable the closing down of exploits that others can use to mount DDOS attacks against internet users.

Devices in the DMZ

In several cases in the mDNS threads we see devices have been placed in the DMZ to facilitate some aspect of internet connectivity.  In several cases these have been PS4's in my own case it was a PC.  The problem is that if a device is in the DMZ - all unsolicited traffic is sent to that device - UNLESS there is a separate port forwarding rule in place.  This exposes any flaw in the way a device handles incoming SSDP and mDNS queries from the internet.

False positive?

Several people have suggested that the letters are sent out based on false positives.  Based on my own experience, I would say this is not correct.  Contacting Shadowserver, I was sent the log of what they found from my IP.  I recognised the culprit straight away as being Airserver, which allows me to stream from my Ipad to my PC.  However the logs can be confusing to the average user.

Port blocking?

Advice from Virgin Media suggests blocking inbound ports in the firewall section.  Unfortunately the Superhub 3 does not have any rules to do this, and some people advise that turning up the firewall breaks their gaming experience.  So we need to consider an alternative method.

Using Port Fowawrding to drop the inbound traffic.

Inbound traffic is evaluated in the following order.

NAT table entry - response to outbound traffic?
Port Forwarding rule
Device in DMZ

So by setting up port forwarding rules to an IP address that doesn't have anything connected we can drop the inbound traffic from the internet side of the network.

This won't affect normal LAN traffic, so devices on the same LAN can still find each other.  I've already done this with mDNS and my IPad can still happily find Airserver on my PC but Shadowserver can no longer find it.

This help article by Virgin Media describes for to Port Forward on the different Hubs

As noted above rules should be set according to the Vulnerability or you can preempt them.  And set them all up.

I currently have mDNS - Port 5353 UDP forwarded to 192.168.0.253
                         SSDP - Port 1900 UDP forwarded to 192.168.0.253

Will this stop a device connecting to the Internet?

No - these services are meant for use on the Local network only.  Devices connecting to the net use other outbound ports to do so.

Ravenstar68

Note: Windows Firewall makes it possible to limit a system to allowing inbound connections from the same LAN.  I've actually done this with Airserver and a number of other mDNS listeners.  However as this won't help people who are not using Windows devices, I feel port forwarding offers the easiest option.

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

54 REPLIES 54

NinoS
Tuning in

I've just received my first mDNS warning letter from VM, but I have my PS4 in DMZ. I'm not willing to disable DMZ, so I'd much prefer a different solution.

Can any PS4 users confirm port forwarding is successful with Super Hub 2? As per the suggestions here and in other topics, I've forwarded port 5353 to an unused local IP as follows:

PF5353.jpg

With the WAN IP, dig displays the following:

; <<>> DiG 9.10.4-P8 <<>> @81.**.**.** -p 5353 -t ptr _services._dns-sd._udp.
local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

However, the pentest-tools website reported:

Starting Nmap 6.00 ( http://****.org ) at 2017-04-16 11:41 EEST
Initiating Ping Scan at 11:41
Scanning 81.**.**.** [4 ports]
Completed Ping Scan at 11:41, 0.06s elapsed (1 total hosts)
Initiating UDP Scan at 11:41
Scanning ...cable.virginm.net (81.**.**.**) [1 port]
Discovered open port 5353/udp on 81.**.**.**
Completed UDP Scan at 11:41, 0.05s elapsed (1 total ports)

[+] Nmap scan report for ...cable.virginm.net (81.**.**.**)
Host is up (0.021s latency).

PORT     STATE SERVICE
5353/udp open  zeroconf

I also checked the nightlydev site, and it shows port 5353 as being open as well. I just can't make sense of this...

Using the PS4's local IP, dig reports:

; <<>> DiG 9.10.4-P8 <<>> @192.168.0.80 -p 5353 -t ptr _services._dns-sd._udp.lo
cal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17641
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_services._dns-sd._udp.local.  IN      PTR

;; ANSWER SECTION:
_services._dns-sd._udp.local. 10 IN     PTR     _spotify-connect._tcp.local.

;; Query time: 0 msec
;; SERVER: 192.168.0.80#5353(192.168.0.80)
;; WHEN: Sun Apr 16 09:49:19 GMT Daylight Time 2017
;; MSG SIZE  rcvd: 82

I don't use Spotify and haven't downloaded it onto the console, but it appears in the report above. Again, running dig using my WAN IP still shows "no servers can be reached", which I thought would mean the port 5353 issue was resolved. Can anyone offer some advice?

ravenstar68
Very Insightful Person
Very Insightful Person

Just as an update to the above post - which I missed.

Nino posted here - https://community.virginmedia.com/t5/Security-matters/Multicast-DNS-and-DMZ-problems/m-p/3398219

And port forwarding seems to have subsequently kicked in for him and blocked the port.

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

@ravenstar68 I just had a mDNS letter lol. I know why: I put my PS4 in the DMZ because port forwarding was failing. Funny thing is, they must have scanned so fast because I didn't waste much time before forwarding mdns and ssdp to a non-existent internal IP.

ravenstar68
Very Insightful Person
Very Insightful Person

My advice is to set up the port forwarding BEFORE putting the PS4 (or anything else for that matter) into the DMZ

Still you must have been really unlucky to be caught by Shadowserver.

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks


@ravenstar68 wrote:

My advice is to set up the port forwarding BEFORE putting the PS4 (or anything else for that matter) into the DMZ

Still you must have been really unlucky to be caught by Shadowserver.


Good pointer and yes, they must be scanning VM IP addresses very often.

port.jpg

Yes I have the DHCP range set to .25 max and there's no devices above .20

stoffle
On our wavelength

Can I use the same IP addresses as the ones you guys have used?

Also, I have to choose a Predefined rule (service) and I don't know what to choose.

 Thank you.

 

Update

 

 

Where it says services I chose a service and then chose the default services tab again so that I could click apply afterwards, obviously I filled out the other usual information but does this look correct to you guys? Am I able to use the DMZ again? I deleted spotify as a precaution (even thought it wasn't actually installed) and I am only assuming the PS4 is the issue a t this moment in time as that is the only device in the DMZ. Thank you again.

P.S. quite a few months back I posted on these forums about an attack on my router from a player in an online PS4 game, one or two people said it wasn't possible but after receiving this letter it is possible it seems, they shut my internet down for exactly an hour after sending me a message laughing how my internet is going down.

 

ravenstar68
Very Insightful Person
Very Insightful Person

First off - Leave the services tab alone.  That is there to assist you if you are setting up forwarding for well known services such as HTTP or FTP by filling in the port values automatically.

You just need to make sure that the IP address you are forwarding to is not likely to be used by any devices.  For this reason I usually use 192.168.0.254 as it's the highest possible IP on your subnet, and unless you have a lot of networked devices, is unlikely to be used.

I'm going to deal with with the last part in 2 stages.

First off - having a device on your network respond to mDNS queries from outside, isn't used to attack you directly.  Rather it enables hackers to use your PS4 as part of a DDoS attack on other people.

However while in the past DDoS attacks were mainly used against corporate targets, there is a rise in "stresser" sites enabling anyone to purchase DDoS attacks,  so it's certainly within the realm of possibility that the user did launch an attack.  However to deal with such individuals I would contact Sony and let them have is Playstation ID and the time the conversation took place, as Sony may decide to take action against the individual.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Received my 1st letter a little while ago and followed the port forwarding advice with no problem. It was saved/enabled when I left the router.

Just received 2nd letter and checked my device to find my port forward has gone/removed. No one has access other than myself to the router so I know I haven't removed it etc. Has this happened to anyone else?

I also have my PS4 in dmz and would rather it stayed that way, but if this is going to continue I might take it out of it.

I have had one email and three letters now. I have contacted Virgin who confirm the settings on Router as configured correctly but I have just received another letter.

 

If DNZ is not enabled now can Shadowserver be getting these results?

Hi,

I've got the second round of communication from Virgin regarding this, so it seems the first set of suggestions (blocking outbound mdns) didn't work (I know my way around a router - Draytek so am confident this is disabled) I only have 1 open port inbound the rest are blocked. I'm slightly confused how this shadow service would know I have outbound mdns requests? Inbound, I understand, but I've done multiple firewall checks and only 1 port is open and doesn't respond.

What I'd like to know and to be frank Google has failed me, is how can I tell where the "rogue" mdns is coming from? I have a bunch of devices, servers and laptops on the network in addition to a lot of home smart devices so trying to find out the culprit is difficult without packet sniffing the network.

cheers