Menu
Reply
Tuning in
  • 3
  • 0
  • 2
Registered: ‎16-04-2017
Message 21 of 25 (369 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

[ Edited ]

I've just received my first mDNS warning letter from VM, but I have my PS4 in DMZ. I'm not willing to disable DMZ, so I'd much prefer a different solution.

Can any PS4 users confirm port forwarding is successful with Super Hub 2? As per the suggestions here and in other topics, I've forwarded port 5353 to an unused local IP as follows:

PF5353.jpg

With the WAN IP, dig displays the following:

; <<>> DiG 9.10.4-P8 <<>> @81.**.**.** -p 5353 -t ptr _services._dns-sd._udp.
local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

However, the pentest-tools website reported:

Starting Nmap 6.00 ( http://****.org ) at 2017-04-16 11:41 EEST
Initiating Ping Scan at 11:41
Scanning 81.**.**.** [4 ports]
Completed Ping Scan at 11:41, 0.06s elapsed (1 total hosts)
Initiating UDP Scan at 11:41
Scanning ...cable.virginm.net (81.**.**.**) [1 port]
Discovered open port 5353/udp on 81.**.**.**
Completed UDP Scan at 11:41, 0.05s elapsed (1 total ports)

[+] Nmap scan report for ...cable.virginm.net (81.**.**.**)
Host is up (0.021s latency).

PORT     STATE SERVICE
5353/udp open  zeroconf

I also checked the nightlydev site, and it shows port 5353 as being open as well. I just can't make sense of this...

Using the PS4's local IP, dig reports:

; <<>> DiG 9.10.4-P8 <<>> @192.168.0.80 -p 5353 -t ptr _services._dns-sd._udp.lo
cal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17641
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_services._dns-sd._udp.local.  IN      PTR

;; ANSWER SECTION:
_services._dns-sd._udp.local. 10 IN     PTR     _spotify-connect._tcp.local.

;; Query time: 0 msec
;; SERVER: 192.168.0.80#5353(192.168.0.80)
;; WHEN: Sun Apr 16 09:49:19 GMT Daylight Time 2017
;; MSG SIZE  rcvd: 82

I don't use Spotify and haven't downloaded it onto the console, but it appears in the report above. Again, running dig using my WAN IP still shows "no servers can be reached", which I thought would mean the port 5353 issue was resolved. Can anyone offer some advice?

Reply
0 Kudos
Superuser
  • 13K
  • 666
  • 4.41K
Registered: ‎01-11-2009
Message 22 of 25 (294 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Just as an update to the above post - which I missed.

Nino posted here - https://community.virginmedia.com/t5/Security-matters/Multicast-DNS-and-DMZ-problems/m-p/3398219

And port forwarding seems to have subsequently kicked in for him and blocked the port.

________________________________________


Only use Helpful answer if your problems been solved.

Reply
0 Kudos
Superuser
  • 12.52K
  • 1.6K
  • 3.68K
Registered: ‎22-06-2013
Message 23 of 25 (30 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

@ravenstar68 I just had a mDNS letter lol. I know why: I put my PS4 in the DMZ because port forwarding was failing. Funny thing is, they must have scanned so fast because I didn't waste much time before forwarding mdns and ssdp to a non-existent internal IP.

- - - - - -
Any opinions expressed by myself are entirely my own and do not represent Virgin Media in any way.
Reply
0 Kudos
Superuser
  • 13K
  • 666
  • 4.41K
Registered: ‎01-11-2009
Message 24 of 25 (27 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

My advice is to set up the port forwarding BEFORE putting the PS4 (or anything else for that matter) into the DMZ

Still you must have been really unlucky to be caught by Shadowserver.

________________________________________


Only use Helpful answer if your problems been solved.

Superuser
  • 12.52K
  • 1.6K
  • 3.68K
Registered: ‎22-06-2013
Message 25 of 25 (21 Views)

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ


ravenstar68 wrote:

My advice is to set up the port forwarding BEFORE putting the PS4 (or anything else for that matter) into the DMZ

Still you must have been really unlucky to be caught by Shadowserver.


Good pointer and yes, they must be scanning VM IP addresses very often.

port.jpg

Yes I have the DHCP range set to .25 max and there's no devices above .20

- - - - - -
Any opinions expressed by myself are entirely my own and do not represent Virgin Media in any way.
Reply
0 Kudos