Menu
Reply
  • 16.39K
  • 899
  • 6.34K
Superuser
Superuser
300 Views
Message 31 of 36
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

While you might know your way around your router - that does not make you an expert on networking if I may say so.

You're getting the mDNS letter because something on your network is responding to an mDNS probe from OUTSIDE your network.  These probes along with other types of probe are sent by an organisation called Shadowserver, who's aim is to encourage organisations and individuals to close down these holes.

Many of these scan types probe vulnerabilities that can be used to include your system as part of a DDOS attack against a third party without your knowledge.

Blocking Outbound mDNS is not the problem, indeed depending on how it's done, it can cause  more problems then it solves.

My solution for devices in the DMZ was to create a port forwarding rule that routes the inbound packets to a different port to 5353.  This is because mDNS ONLY listens on that port.  On the Hub 3 at least port forwarding rules are applied BEFORE the DMZ is considered.  So by doing this I was effectively forcing my PC to drop the inbound mDNS packets from outside the network (as I chose a port that the PC doesn't listen on).

However mDNS packets generated from devices inside my network still continue to reach their targets (i.e. other devices on my LAN)

Note that Shadowserver ONLY see a positive when they get an mDNS response back from a query sent to your PUBLIC IP.  Virgin Media don't monitor your outbound traffic, they respond to notifications from Shadowserver that your IP address has responded to their queries.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

  • 5
  • 0
  • 0
gonepearshaped
Joining in
280 Views
Message 32 of 36
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

@ravenstar68. Actually I used to be a network engineer.

I do not have any DMZ set up and as mentioned I have 1 port open which is not mDNS related. Upnp also isn't enabled, and looking at the active NAT sessions there is no port 5353 open.

Using https://hackertarget.com/udp-port-scan/ you can see that the port is effectively dropped so as mentioned in my email, unless Shadowserver is intercepting outbound requests I'm not sure how they've come to the conclusion that I'm open to mDNS queries.

As per standard firewall rules, open/filtered means there's no response on that port.

Starting Nmap 7.40 ( https://nmap.org ) at 2018-12-19 09:40 UTC
Nmap scan report for X.X.X.X
Host is up.
PORT      STATE         SERVICE
53/udp    open|filtered domain
69/udp    open|filtered tftp
123/udp   open|filtered ntp
161/udp   open|filtered snmp
1900/udp  open|filtered upnp
5353/udp  open|filtered zeroconf
11211/udp open|filtered memcache

k

0 Kudos
Reply
  • 16.39K
  • 899
  • 6.34K
Superuser
Superuser
261 Views
Message 33 of 36
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Well my suggestion at this point would be to ask Shadowserver if they can provide you with the mDNS response string seen, as well as ask them to check directly if they can still see mDNS responses from your public IP.  That way you cut out the middleman as it were.

Certainly, when I asked them for the information, they did provide it.

Details on Shadowserver's mDNS project can be found here, including how to contact them.

https://mdns.shadowserver.org/

TIm

Edit 5353 shouldn't show in an active NAT session, while the mDNS RFC DOES allow for responses from remote IP addresses, in practice all transactions should only really be on the local network and not cross the LAN/WAN boundary.

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 22
  • 0
  • 1
cwatty
Tuning in
68 Views
Message 34 of 36
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

Have received four letters from Virgin Media this year so far about this issue. Again like everyone else its because I have a PS4 in the DMZ on my Asus RT-N66U Router that I use as well frankly the Super Hub 2 I have is woeful so it's best left running only in Modem Mode.

Have tried to create a Port Forward Rule in the Asus Router Configuration for the PS4 and routing the Port 5353 stuff to a non-existent device on the network with IP Address 192.168.1.253. I've also gone into the Firewall Section of the Router and under the Network Services Filter created a Black List rule that the PS4 can't communicate with any IP Address on LAN or WAN on Port 5353 and ensured that Rule is in force 24/7

Yet I still keep receiving these letters. Not sure what else to do in my Router settings to stop this.
0 Kudos
Reply
  • 16.39K
  • 899
  • 6.34K
Superuser
Superuser
63 Views
Message 35 of 36
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

I don't work for VM - but would you be willing to let me have your public IP address so I can see what an mDNS query returns?

I'll understand if you don't wish to do this.  If you do however drop me a PM and I'll have a look.  It might not be til later tonight or tomorrow though.

Tim

Edit - Don't post your IP on the open forums, and do consider carefully before accepting my offer.  While I know I am trustworthy, you'll have to decide whether or not you feel comfortable sharing.

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 22
  • 0
  • 1
cwatty
Tuning in
55 Views
Message 36 of 36
Flag for a moderator

Re: mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

I've done a scanner via the hackertarget website and the result comes back:

PORT STATE SERVICE
53/udp closed domain
69/udp closed tftp
123/udp closed ntp
161/udp closed snmp
1900/udp open|filtered upnp
5353/udp open zeroconf
11211/udp closed memcache

Nmap done: 1 IP address (1 host up) scanned in 1.51 seconds

So despite my best efforts so far my Asus RT-N66U Router is still allowing access on that port.
0 Kudos
Reply