Menu
Reply
monkehfu
  • 40
  • 0
  • 12
On our wavelength
900 Views
Message 1 of 5
Flag for a moderator

Multicast DNS letter and DMZ

Dear VM.

Thank you for my letter this morning regarding possible mDNS vulnerability.

Alas, due to your inadequate network provision and inflexibility of your own Hub hardware, I run my PS4 in a DMZ.

Yes, the PS4 is a multicast device
Yes, I am aware of the possible risks
Yes, I do actually know what I'm doing (I work in internet security).

Whilst were busy pointing out vulnerabilities, maybe you could address a couple of your own?

Hub access is not over https
Hub password field is plain text and not hidden

So before you try to force-feed me pointless security advice, you might want to address some of your own serious flaws beforehand.

Thanks in advance.

Kippies
  • 12.44K
  • 859
  • 3.72K
Very Insightful Person
Very Insightful Person
856 Views
Message 2 of 5
Flag for a moderator

Re: Multicast DNS letter and DMZ

If you work in Internet Security, why are you questioning decent advice provided by a responsible ISP?

As its part of your job, can you let us know what the comparitive risks are between allowing a plain text password LAN side and exposing mDNS WANside?

And why your PS4 is in a DMZ?

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
monkehfu
  • 40
  • 0
  • 12
On our wavelength
778 Views
Message 3 of 5
Flag for a moderator

Re: Multicast DNS letter and DMZ

LAN: Just because it's transmitted LAN side a plain text password is still interceptable. Passwords over HTTP have always been inherently insecure irrelevant of LAN/WAN hence why TSL and HTTPS exist.

Hypertext transfer protocol is used at layer 7 of the OSI model. This is an application layer protocol that transmits the information in plain text. This was fine, when there were static websites or websites that did not required any input from the user. Anyone can set up a MITM proxy in between and listen to all the traffic or modify that traffic for personal gains. Now when we have entered into the web 2.O world, we need to ensure that the user’s interaction is secured. This is ensured by using the secured version of HTTP i.e. HTTPS. Using https, the traffic is encrypted as soon as it leaves layer 7.

Obviously one issue here is the mDNS possible exploit, which can be used to capture that plain text password. They don't even hash the password inut which is poor design and only requires the input box to be changed to type="password". Simple HTML.

And don't get me started on how poor password implementation is on VM accounts. A true secure password would be a minimum of 12 chars and allow a mix of upper/lower case letters, number and special characters (Aa1$). VM use a max of 10 characters but only with Aa1. It's poor practice. 

As for using a DMZ. This is more down to how VM have implemented DMZ on their routers. If designed properly, there should be very little risk in using this function. It's fairly common to run HTTP/FTP through a DMZ and although not perfect, the single firewall approach on the router should still function preventing flooding etc.

Placing a games console in DMZ improves connection and lag/latency hugely. Ideally, yes there should be a two firewall approach and companies like Sony use P2P and have firewalls at their end of the connection. So in theory, there should be no issue running a PS4 in a DMZ. And yes, the PS4 is a multicast device, so would cause mDNS traffic. As you are only broadcasting game packets 90% of the time, the risk is minimal with the largest being a DDoS attack, but if the VM firewall is implemented properly, this should prevent anything else on the network be affected.

Another benefit is NAT. Not everything is NAT Type 2. Take Modern Warfare (2019), this uses NAT Type 0, but the PS4 uses NAT Type 2. Placing the PS4 into a DMZ make this switching smoother, whereas, without it, you get endless conflicts as the Hub tries forcing everything into Type 2.

The questions come when you try to find out how VM have implemented DMZs on their hardware. The configuration is severely limited. The firewall is non-configurable other than yes/no and there's no configuration for the DMZ other than IP address. So the issue lies with VMs implementation on their HUBs.

Because of their poor design, they are the issue with mDNS and DMZ and the risk of intercepting PTxT passwords.

My god, don't tell them I use alt DNS servers too 🙂

Placing the blame on users is lazy, and harassing them monthly about the report of mDNS without real explanation is just a scare tactic to force users to conform instead of addressing their own flaws in their hardware/software implementation. 

The solution would be VM fixing their platform. Alternatively, they should just issue modems and the end-user uses their own router with granular control.

Fwiw, I never had this issue when using my own router. It only exists if using the VM hub alone.

80211ac
  • 5
  • 0
  • 0
Tuning in
536 Views
Message 4 of 5
Flag for a moderator

Re: Multicast DNS letter and DMZ

Thank you for the write up, I am surprised that virgin haven't responded back to your final comment. They are probably scratching heads! I had the exact same issue and the only way to get by was to forward 53 port to a non used ip address to stop getting the letters. Now I use personal router so haven't had a need to forward port yet! 

0 Kudos
Reply
coffeeguy66
  • 1
  • 0
  • 0
Joining in
284 Views
Message 5 of 5
Flag for a moderator

Re: Multicast DNS letter and DMZ

Thanks for this monkehfu. I was recently having issues with my ps4 internet connection ( wired, not wi-fi ) using a TP-link. I Googled the issue I had and somewhere it mentioned changing the settings on the router to enable the DMZ which helps with certain connection issues. I did this and thought nothing more, network connection fine. Next thing we know, we are getting letters from VM regarding Multicast DNS vulnerability, followed their instructions ( I'm okay with the basics but no expert ) and could not even find anything open in port forwarding. Another letter has just arrived and after some searching found your post regarding MDNS and DMZ..then the penny dropped. I've disabled the DMZ . Haven't fired up the ps4 yet but thanks for your excellent response to VM ! They warn you of issues but don't seem to offer much help in how to solve them.
0 Kudos
Reply