Menu
Reply
  • 3
  • 0
  • 2
NinoS
Tuning in
1,425 Views
Message 21 of 28
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

I've just received my first mDNS warning letter from VM, but I have my PS4 in DMZ. I'm not willing to disable DMZ, so I'd much prefer a different solution.

Can any PS4 users confirm port forwarding is successful with Super Hub 2? As per the suggestions here and in other topics, I've forwarded port 5353 to an unused local IP as follows:

PF5353.jpg

With the WAN IP, dig displays the following:

; <<>> DiG 9.10.4-P8 <<>> @81.**.**.** -p 5353 -t ptr _services._dns-sd._udp.
local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

However, the pentest-tools website reported:

Starting Nmap 6.00 ( http://****.org ) at 2017-04-16 11:41 EEST
Initiating Ping Scan at 11:41
Scanning 81.**.**.** [4 ports]
Completed Ping Scan at 11:41, 0.06s elapsed (1 total hosts)
Initiating UDP Scan at 11:41
Scanning ...cable.virginm.net (81.**.**.**) [1 port]
Discovered open port 5353/udp on 81.**.**.**
Completed UDP Scan at 11:41, 0.05s elapsed (1 total ports)

[+] Nmap scan report for ...cable.virginm.net (81.**.**.**)
Host is up (0.021s latency).

PORT     STATE SERVICE
5353/udp open  zeroconf

I also checked the nightlydev site, and it shows port 5353 as being open as well. I just can't make sense of this...

Using the PS4's local IP, dig reports:

; <<>> DiG 9.10.4-P8 <<>> @192.168.0.80 -p 5353 -t ptr _services._dns-sd._udp.lo
cal
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17641
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_services._dns-sd._udp.local.  IN      PTR

;; ANSWER SECTION:
_services._dns-sd._udp.local. 10 IN     PTR     _spotify-connect._tcp.local.

;; Query time: 0 msec
;; SERVER: 192.168.0.80#5353(192.168.0.80)
;; WHEN: Sun Apr 16 09:49:19 GMT Daylight Time 2017
;; MSG SIZE  rcvd: 82

I don't use Spotify and haven't downloaded it onto the console, but it appears in the report above. Again, running dig using my WAN IP still shows "no servers can be reached", which I thought would mean the port 5353 issue was resolved. Can anyone offer some advice?

0 Kudos
Reply
  • 13.77K
  • 732
  • 4.79K
Superuser
Superuser
1,350 Views
Message 22 of 28
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Just as an update to the above post - which I missed.

Nino posted here - https://community.virginmedia.com/t5/Security-matters/Multicast-DNS-and-DMZ-problems/m-p/3398219

And port forwarding seems to have subsequently kicked in for him and blocked the port.

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 12.72K
  • 1.62K
  • 3.75K
Superuser
Superuser
1,086 Views
Message 23 of 28
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

@ravenstar68 I just had a mDNS letter lol. I know why: I put my PS4 in the DMZ because port forwarding was failing. Funny thing is, they must have scanned so fast because I didn't waste much time before forwarding mdns and ssdp to a non-existent internal IP.

- - - - - -
Any opinions expressed by myself are entirely my own and do not represent Virgin Media in any way.
0 Kudos
Reply
  • 13.77K
  • 732
  • 4.79K
Superuser
Superuser
1,083 Views
Message 24 of 28
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

My advice is to set up the port forwarding BEFORE putting the PS4 (or anything else for that matter) into the DMZ

Still you must have been really unlucky to be caught by Shadowserver.

________________________________________


Only use Helpful answer if your problems been solved.

  • 12.72K
  • 1.62K
  • 3.75K
Superuser
Superuser
1,077 Views
Message 25 of 28
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ


ravenstar68 wrote:

My advice is to set up the port forwarding BEFORE putting the PS4 (or anything else for that matter) into the DMZ

Still you must have been really unlucky to be caught by Shadowserver.


Good pointer and yes, they must be scanning VM IP addresses very often.

port.jpg

Yes I have the DHCP range set to .25 max and there's no devices above .20

- - - - - -
Any opinions expressed by myself are entirely my own and do not represent Virgin Media in any way.
0 Kudos
Reply
  • 27
  • 0
  • 2
stoffle
On our wavelength
498 Views
Message 26 of 28
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Can I use the same IP addresses as the ones you guys have used?

Also, I have to choose a Predefined rule (service) and I don't know what to choose.

 Thank you.

 

Update

 

 

Where it says services I chose a service and then chose the default services tab again so that I could click apply afterwards, obviously I filled out the other usual information but does this look correct to you guys? Am I able to use the DMZ again? I deleted spotify as a precaution (even thought it wasn't actually installed) and I am only assuming the PS4 is the issue a t this moment in time as that is the only device in the DMZ. Thank you again.

P.S. quite a few months back I posted on these forums about an attack on my router from a player in an online PS4 game, one or two people said it wasn't possible but after receiving this letter it is possible it seems, they shut my internet down for exactly an hour after sending me a message laughing how my internet is going down.

 

0 Kudos
Reply
  • 13.77K
  • 732
  • 4.79K
Superuser
Superuser
475 Views
Message 27 of 28
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

First off - Leave the services tab alone.  That is there to assist you if you are setting up forwarding for well known services such as HTTP or FTP by filling in the port values automatically.

You just need to make sure that the IP address you are forwarding to is not likely to be used by any devices.  For this reason I usually use 192.168.0.254 as it's the highest possible IP on your subnet, and unless you have a lot of networked devices, is unlikely to be used.

I'm going to deal with with the last part in 2 stages.

First off - having a device on your network respond to mDNS queries from outside, isn't used to attack you directly.  Rather it enables hackers to use your PS4 as part of a DDoS attack on other people.

However while in the past DDoS attacks were mainly used against corporate targets, there is a rise in "stresser" sites enabling anyone to purchase DDoS attacks,  so it's certainly within the realm of possibility that the user did launch an attack.  However to deal with such individuals I would contact Sony and let them have is Playstation ID and the time the conversation took place, as Sony may decide to take action against the individual.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

  • 5
  • 0
  • 0
Hungryjedi
Joining in
148 Views
Message 28 of 28
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Received my 1st letter a little while ago and followed the port forwarding advice with no problem. It was saved/enabled when I left the router.

Just received 2nd letter and checked my device to find my port forward has gone/removed. No one has access other than myself to the router so I know I haven't removed it etc. Has this happened to anyone else?

I also have my PS4 in dmz and would rather it stayed that way, but if this is going to continue I might take it out of it.

0 Kudos
Reply