cancel
Showing results for 
Search instead for 
Did you mean: 

mDNS and SSDP vulnerabilities a suggestion for devices in the DMZ

ravenstar68
Very Insightful Person
Very Insightful Person

The other day I got a letter about a device on my home network responding to Multicast DNS (mDNS) queries from outside my home network.

Other people have received similar letters and also letters discussing Netbios, and SSDP vulnerabilities as well.

These letters come as a result of Virgin Media being contacted by a third party organisation -shadowserver.org  Who send queries out to peoples public facing IP's and see if they get a response back.

Why are Shadowserver doing this?

Quite simply to enable the closing down of exploits that others can use to mount DDOS attacks against internet users.

Devices in the DMZ

In several cases in the mDNS threads we see devices have been placed in the DMZ to facilitate some aspect of internet connectivity.  In several cases these have been PS4's in my own case it was a PC.  The problem is that if a device is in the DMZ - all unsolicited traffic is sent to that device - UNLESS there is a separate port forwarding rule in place.  This exposes any flaw in the way a device handles incoming SSDP and mDNS queries from the internet.

False positive?

Several people have suggested that the letters are sent out based on false positives.  Based on my own experience, I would say this is not correct.  Contacting Shadowserver, I was sent the log of what they found from my IP.  I recognised the culprit straight away as being Airserver, which allows me to stream from my Ipad to my PC.  However the logs can be confusing to the average user.

Port blocking?

Advice from Virgin Media suggests blocking inbound ports in the firewall section.  Unfortunately the Superhub 3 does not have any rules to do this, and some people advise that turning up the firewall breaks their gaming experience.  So we need to consider an alternative method.

Using Port Fowawrding to drop the inbound traffic.

Inbound traffic is evaluated in the following order.

NAT table entry - response to outbound traffic?
Port Forwarding rule
Device in DMZ

So by setting up port forwarding rules to an IP address that doesn't have anything connected we can drop the inbound traffic from the internet side of the network.

This won't affect normal LAN traffic, so devices on the same LAN can still find each other.  I've already done this with mDNS and my IPad can still happily find Airserver on my PC but Shadowserver can no longer find it.

This help article by Virgin Media describes for to Port Forward on the different Hubs

As noted above rules should be set according to the Vulnerability or you can preempt them.  And set them all up.

I currently have mDNS - Port 5353 UDP forwarded to 192.168.0.253
                         SSDP - Port 1900 UDP forwarded to 192.168.0.253

Will this stop a device connecting to the Internet?

No - these services are meant for use on the Local network only.  Devices connecting to the net use other outbound ports to do so.

Ravenstar68

Note: Windows Firewall makes it possible to limit a system to allowing inbound connections from the same LAN.  I've actually done this with Airserver and a number of other mDNS listeners.  However as this won't help people who are not using Windows devices, I feel port forwarding offers the easiest option.

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

54 REPLIES 54

Thanks for clarifying. It all makes sense now. For now I have just used option 1 and forwarded 5353 to an un used ip address. Hopefully this resolves the matter otherwise I will go for option 2 to specifically forward ps4 5353 incomings to a higher port number. 

Thanks again. 

Best,

V

DJ-Daz
Tuning in

I have just received my second email, so I asked https://shadowserver.org to look into it for me.

They were pretty quick with the reply.

The report doesn't give a whole lot of identifying information, but rather only says "_spotify-connect._tcp.local.".

So, I can at least tell you that Spotify is the culprit, but I can't tell you /what/ device the Spotify service is running on.

Hope this helps,

So it's spotify, ironically spotify is run and partially owned by Daniel Ek. Who also ran Napster and  μTorrent, so no surprise when I discovered that Spotify caches songs locally and also streams them to other users. It's partially decentralised. Hence port 5353 mDNS.

用心棒
Very Insightful Person
Very Insightful Person

Did you try the port forwarding solution discussed earlier in this thread?

I have, I've also deleted Spotify, I don't use it anyway.

5353 routed to .253

Hopefully that will stop any more emails.

ravenstar68
Very Insightful Person
Very Insightful Person

In the past we've found the Culprit to be the Spotify service on things like PS4 rather than PC

If you want to check you can download BIND and install just the tools - Which includes DIG

Once installed you can use DIG to find out which device the service is running on,

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks