Menu
Reply
Joining in
  • 1
  • 0
  • 0
Registered: ‎31-01-2017
Message 11 of 22 (900 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

I have had five letters regarding multicast dns vulnerability.  I have written to them today and see what they have to say as you cannot contact them any other way.

Reply
0 Kudos
Superuser
  • 12.82K
  • 646
  • 4.3K
Registered: ‎01-11-2009
Message 12 of 22 (875 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

If anyone's interested here are my port forwarding rules on the Hub 3

pf-mdns-ssdp.JPG

Note: The hub 3 is unusual in that while most other devices specify the external port first, it instead asks for the internal IP and port first.

________________________________________


Only use Helpful answer if your problems been solved.

Joining in
  • 2
  • 0
  • 0
Registered: ‎20-08-2014
Message 13 of 22 (801 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Ok I set up port forwarding but on 192.168.0.253

What should I do with port triggering ?it is empty.

I got DMZ  on 192.168.0.19 for my xbox.

I have amazon fire tv ,3 android , 2 laptop 

Reply
0 Kudos
Superuser
  • 12.82K
  • 646
  • 4.3K
Registered: ‎01-11-2009
Message 14 of 22 (795 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Leave Port triggering alone.

The Port forwarding is to stop SSDP and mDNS queries getting to the device in the DMZ from the internet.

________________________________________


Only use Helpful answer if your problems been solved.

On our wavelength
  • 56
  • 1
  • 6
Registered: ‎25-10-2012
Message 15 of 22 (679 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

hello ravenstar, im still on superhub 1, so i dont have the seting like in ur screenshot with local port range 65535-65535 so is it just the case of port forwarding like below? does it still work out fixing the problem, thanks

name   portrange  Protocal   ip address
SSDP  1900          UDP        192.168.0.253
mDNS  5353         UDP         192.168.0.253

Reply
0 Kudos
Superuser
  • 12.82K
  • 646
  • 4.3K
Registered: ‎01-11-2009
Message 16 of 22 (670 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

That will work as long as there's no device currently using that IP address.  As the hub will try to send packets there and won't be able to so it'll drop them.

________________________________________


Only use Helpful answer if your problems been solved.

On our wavelength
  • 56
  • 1
  • 6
Registered: ‎25-10-2012
Message 17 of 22 (667 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

thank you for the fast reply and for puting me at ease

Joining in
  • 1
  • 0
  • 0
Registered: ‎11-03-2017
Message 18 of 22 (620 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

As have others, I've received the mDNS letter.  A Shodan IOT search confirms mDNS port open on my public IP.

However, a nmap scan on my network doesn't show any devices listening on the port and I don't have any port forwarding rules at all in the SuperHub3.

The only thing I can think of is that I've only recently removed my raspberry pi from the DMZ, so maybe that showed up...

I'm thinking as nmap shows no mDNS ports listening and there aren't any firewall rules I can modify that there's not a lot I can/need to do..!?!  Frustrating that you can't apply deny rules to the inbound rules on the firewall.

Reply
0 Kudos
Dialled in
  • 77
  • 1
  • 16
Registered: ‎05-10-2010
Message 19 of 22 (500 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

[ Edited ]

Sorry to drag this up.


Don't Virgin (Yes they do - Just checked) Block the netbios ports from 135 - 139 !!!

And i am curious as to why i received a letter saying i had been compromised on my own network (DId make me laugh) !!
I am running a ps3 media server program which shares all my media and no one can access this unless they are on my subnet.
I know my way around a cisco network / switches and company routing.

Just looked at Shadowscan. WTG geniuses. Pop out the information that there is between 4 and 8 million DNS Amp attack boxes that are still alive. You only need a handful to completely cripple a website.
And to make it worse, they told you what countries have the highest and what port. I always wondered where some idiots got their IP ranges from for Amp Scanning.

Anyway, if it helps, i binned the letter and ignored it, as for me, it was a mere informational.

 

EDIT - For anyone who has a linux box, just enter then following to see if your box has NTP enabled and running.

root@sd-104134:~# ntpdc -n -c monlist 192.0.2.1

 

Reply
0 Kudos
Superuser
  • 12.82K
  • 646
  • 4.3K
Registered: ‎01-11-2009
Message 20 of 22 (492 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Actually the Netbios Trio of Ports is 135 139 and 445 - and if you check you'll find Virgin lifted the block a couple of years ago.

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

Reply
0 Kudos