Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

ravenstar68
Very Insightful Person
Very Insightful Person

on ‎12-01-2017 15:34

The other day I got a letter about a device on my home network responding to Multicast DNS (mDNS) queries from outside my home network.

Other people have received similar letters and also letters discussing Netbios, and SSDP vulnerabilities as well.

These letters come as a result of Virgin Media being contacted by a third party organisation -shadowserver.org  Who send queries out to peoples public facing IP's and see if they get a response back.

Why are Shadowserver doing this?

Quite simply to enable the closing down of exploits that others can use to mount DDOS attacks against internet users.

Devices in the DMZ

In several cases in the mDNS threads we see devices have been placed in the DMZ to facilitate some aspect of internet connectivity.  In several cases these have been PS4's in my own case it was a PC.  The problem is that if a device is in the DMZ - all unsolicited traffic is sent to that device - UNLESS there is a separate port forwarding rule in place.  This exposes any flaw in the way a device handles incoming SSDP and mDNS queries from the internet.

False positive?

Several people have suggested that the letters are sent out based on false positives.  Based on my own experience, I would say this is not correct.  Contacting Shadowserver, I was sent the log of what they found from my IP.  I recognised the culprit straight away as being Airserver, which allows me to stream from my Ipad to my PC.  However the logs can be confusing to the average user.

Port blocking?

Advice from Virgin Media suggests blocking inbound ports in the firewall section.  Unfortunately the Superhub 3 does not have any rules to do this, and some people advise that turning up the firewall breaks their gaming experience.  So we need to consider an alternative method.

Using Port Fowawrding to drop the inbound traffic.

Inbound traffic is evaluated in the following order.

NAT table entry - response to outbound traffic?
Port Forwarding rule
Device in DMZ

So by setting up port forwarding rules to an IP address that doesn't have anything connected we can drop the inbound traffic from the internet side of the network.

This won't affect normal LAN traffic, so devices on the same LAN can still find each other.  I've already done this with mDNS and my IPad can still happily find Airserver on my PC but Shadowserver can no longer find it.

This help article by Virgin Media describes for to Port Forward on the different Hubs

As noted above rules should be set according to the Vulnerability or you can preempt them.  And set them all up.

I currently have mDNS - Port 5353 UDP forwarded to 192.168.0.253
                         SSDP - Port 1900 UDP forwarded to 192.168.0.253

Will this stop a device connecting to the Internet?

No - these services are meant for use on the Local network only.  Devices connecting to the net use other outbound ports to do so.

Ravenstar68

Note: Windows Firewall makes it possible to limit a system to allowing inbound connections from the same LAN.  I've actually done this with Airserver and a number of other mDNS listeners.  However as this won't help people who are not using Windows devices, I feel port forwarding offers the easiest option.

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

54 REPLIES 54

James_W
Community Manager (Retired)
Community Manager (Retired)

on ‎13-01-2017 11:44

Thanks for this erudite posting @ravenstar68 - it explains the vulnerabilities really well.

You'll be pleased to know that virginmedia.com/mdns has been updated to include Hub 3.0 port blocking advice, as well as information about the DMZ.

Our other articles on similar subjects are being updated too.

 


New around here? To find out more about the Community check out our Getting Started guide


SeraphTC
Joining in

‎19-01-2017 15:15 - edited ‎19-01-2017 15:44

@ravenstar68 wrote:

False positive?

Several people have suggested that the letters are sent out based on false positives.  Based on my own experience, I would say this is not correct.  Contacting Shadowserver, I was sent the log of what they found from my IP.  I recognised the culprit straight away as being Airserver, which allows me to stream from my Ipad to my PC.  However the logs can be confusing to the average user.


 

In some cases it actually appears as if the VM device itself is the culprit, rather than any device beyond it on the LAN, so whilst that would not constitute a false positive, it's not something than end users should be resolving either.....

I've used other services to check my network and can't get any positive results, so I'd like to take a look at whatever Shadowserver have found.

What method did you use to contact Shadowserver and obtain the relevant logs please?

Many Thanks

0 Kudos

ravenstar68
Very Insightful Person
Very Insightful Person
In response to SeraphTC

‎19-01-2017 15:51 - edited ‎19-01-2017 15:53

They can be contacted via email.

Their site advises they can be reached at  dnsscan [at] shadowserver [dot] org - obviously replace the at and dot with the relevant symbols.

Edit I can try a dig too it you'd like - PM me with your IP address if you'd like me to do this.

Ravenstar68

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos

monkehfu
Dialled in

on ‎19-01-2017 22:03

Great post. After following the advice of forwarding to an IP not connected to anything, and then contacting ShadowServer for a test, I no longer show having any issues with mDNS.

vjam25
Joining in

on ‎20-01-2017 11:29

Thank You for this information, I've been directed here by another user having had a letter from VM about my Super hub ac2 & potential security issues /DDoS vulnerabilities. The reality is that this is a completely different language for me and I can only just grasp what's going on. I've duly gone to the VM website to follow instructions on port blocking and port forwarding and even the DMZ and port 1900 thing. I currently have no rules in there already to delete or edit. We use out WiFi for TV, 2 smartphones, 2 tablets and an Amazon Firestick. We don't play games online (our kids are 3 & 5 so no risk we don't know about it!).

I quote you here: 

"As noted above rules should be set according to the Vulnerability or you can preempt them.  And set them all up.

I currently have mDNS - Port 5353 UDP forwarded to 192.168.0.253
                         SSDP - Port 1900 UDP forwarded to 192.168.0.25"

Can I show my ignorance and ask what this means? And how do I do this myself, how do I know which Ports I have? Without selecting one, I'm unable to add any blocking or forwarding rules? I phoned VM for help but they were frankly, useless and told me I'd have to go through to a dept that charges for their time (despite the letter saying it may be a 3rd party who has created this issue) 

Thank You for helping. 

ravenstar68
Very Insightful Person
Very Insightful Person
In response to vjam25

on ‎20-01-2017 12:35

It helps to know the EXACT wording on the letter so we can give advice tailored specifically to your needs.

All network devices use ports to communicate.  They're not physical ports as such but a connection at the TCP/IP level for example needs two pieces of information.

An IP address
A port number

We also need the IP address and the port number of the device making the connection in the first place.  So a connection consists of the following

Source IP        - Source Port
Destination IP - Destination Port 

 

Lets look at an example connection and reply to a website in Wireshark

bbccap.JPG

The ports used are highlighted in yellow.

My fix takes the ports that should not be accessible from the internet

5353 UDP - mDNS
1900 UDP - SSDP

and forwards inbound connections to an unused IP address.  This in effect causes queries from the internet to be dropped but still allows devices on the local network to respond to one another as normal.

In my case Airserver was responding on port 5353 so I port forwarded this.  Now Shadowserver no longer see it, and more importantly - neither does anyone else.  However my IPad can still connect to it when on the same LAN.

Ravenstar68

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos

shanematthews
Problem sorter
In response to ravenstar68

on ‎20-01-2017 23:19

I never get these letters, maybe i should setup a windows XP SP0 install and disable the admin password, enable unrestricted remote access and disable the windows firewall and stick it in the DMZ for **bleep**s and giggles 😛

monkehfu
Dialled in
In response to shanematthews

on ‎30-01-2017 22:54

OK, scratch that. Had a third letter today regarding mDNS. 

Something isn't right. ShadowServer confirmed weeks ago that my IP was no longer showing any issues with 5353 after implementing the work arounds mentioned here, yet, apparently, Virgin are saying otherwise. 

I will be contacting no ShadowServer again tomorrow to reconfirm that things are fixed. 

0 Kudos

monkehfu
Dialled in
In response to monkehfu

on ‎31-01-2017 13:05

Has anyone successfully managed to contact anyone at VirginMedia Internet Security at Matrix Court?
0 Kudos
Top