Virgin Media Security Alert – Multicast DNS Vulnerability

[Exe_uz]

Hi guys, does anyone know how to block port 5353 on the R2 as VM keep sending me letters stating i have a "Multicast DNS Vulnerability".

FYI the R2 is in the DMZ on the SH3 and it's in router mode with the default firewall settings. There are no port forwarding or port triggers rules.

URL from VM regarding resolution of said issue http://virginmedia.com/mdns

All my devices are connected to the R2 and not SH3

Edited April 6, 2021 by Exe_uz
Additional info

[Newfie]

You can’t write firewall rules on the R2, for that you would need to step up to a more complex router that includes that which tend to be more aimed at businesses or the more complex home routers. 

However the R2 has a firewall even though it’s in the DMZ on your Virgin router, unfortunately I don’t know much about the firewall on the R2 so Fraser or Liam will be able to help more. The important thing is don’t have any devices under the R2 DMZ as that leaves them open to abuse. 
 

At a guess it’s due to DMZ and do you by any chance have a console or PC set in the R2 DMZ?

 

[Exe_uz]

Thank you @Newfie for your response, but the DMZ is only used on SH3 with R2 IP in, the DMZ on the R2 isn't used 😞 

[Newfie]

Fraser has Virgin so may know more info on why. 

[Netduma Fraser]

Have you done any manual port forwarding on the R2? As mentioned I have VM and the R2 plugged directly in to it and I've not had this before. You may not have even port forwarded but it may be UPnP has opened the port to the affected device. Do you see the port listed in UPnP?

[Exe_uz]

Hi Frazer, thanks for your response. I have no manual port forwarding rules and the only ports in UPnP are UDP - 9308 & 3074 for the PS5. Would watching Cinema HD app on Amazon FireTV be an issue?

[Newfie]

https://community.virginmedia.com/t5/Networking-and-WiFi/Network-Attack-email-amp-Multicast-DNS-letter/td-p/4355276

just linked above as this poster has an R2 too.

is your fire stick unlocked and have you Kodi installed?

https://community.virginmedia.com/t5/Security-matters/mDNS-and-SSDP-vulnerabilities-a-suggestion-for-devices-in-the/td-p/3308201/highlight/true/page/3

ive linked the above, lots of talk over the PS4 being in DMZ but there is a solution they use close the port which is on this thread. In basic terms they setup a portwarding rule to an address that’s not used internally on the Virgin router then they put the PS4 in DMZ.

 

[Exe_uz]

Thanks @Newfie for your help, i'll see if i can set up the port forwarding rule on the SH3

[appleround]

Hey @Newfie the linked Virgin forum post is mine.

FYI The issue never got sorted and i kept getting letters, In the end i phoned Virgin and told them to stop sending them as i'd done everything i could to stop the supposed Multicast DNS and scanned all the devices on my Network for virus's/spyware with everything being clean and from what i could tell, set up correctly.

Hopefully @Exe_uz you manage to get it sorted 👍

 

[Exe_uz]

Hi @appleround thanks for the info. Did you try using the port forwarding rule as per suggested by @Newfie to alleviate the problem?? Also, how do you find Virgin Media regarding line quality as mine has lots of spikes and no matter what i do can't get anywhere near a smooth flat(ish) line?

[Newfie]

8 hours ago, appleround said:

Hey @Newfie the linked Virgin forum post is mine.

FYI The issue never got sorted and i kept getting letters, In the end i phoned Virgin and told them to stop sending them as i'd done everything i could to stop the supposed Multicast DNS and scanned all the devices on my Network for virus's/spyware with everything being clean and from what i could tell, set up correctly.

Hopefully @Exe_uz you manage to get it sorted 👍

 

Thanks for posting.

I came across it after doing a search and hoped it would help. Am I right in thinking it’s the DMZ that’s causing the issue with a console?
I briefly read through but I’m guessing if firewall rules could be created it could block that port fairly easy if needed.
It seems Virgin use a third party that looks at your connection and detects potential issues.

 

[appleround]

Hey Guys,

I presume its the DMZ that caused the issue, although I'm not 100% on that, just with the timing of the emails and letters i'd recieved after doing so.

I did add port 5353 to my PC's firewall to be blocked, whether that helped or not I'm not sure.

I haven't tried the suggested Port Forwarding on the superhub yet as its now back in Modem mode. It might be something I'll try eventually though.

@Exe_uz My Line quality is pretty spikey also, it's not so bad when I've got my sliders set to 75% down and 30% up. (200d/20u)

[pmg]

Just having exactly the same issue from virginmedia , I also presume its because my playstation is in dmz . I'd not suffered this in the past due to  the fact the r2 was behind another router but now its directly into the virginmedia modem they have contacted me.

bummer there is no solution , might have to revert to my old network setup

[Exe_uz]

Ever since i put it in modem mode i never had the issue again, and the letters from VM stopped haha My PS5 isn't in the DMZ, i just assigned it a static IP and let UPnP do its thing

[pmg]

If you look at any router security sites like https://routersecurity.org/checklist.php  

upnp is really not great from a security pov  , if you visit something like https://www.grc.com/shieldsup   you might see different devices have popped lots of holes in your network using UPNP.

I am aware I am probably being over cautious 🤣 I'm just trying to stop myself from being hacked.

To be fair I probably shouldnt be putting a device in dmz either mind you. Hence getting the virginmedia multicast email.

[Netduma Fraser]

As above do you have the VM in modem mode or router mode? Does modem mode seem to resolve it?

[pmg]

the superhub is in modem mode

[Netduma Fraser]

Has that resolved it or was it already in modem mode?

[pmg]

Hi Fraser ,

it was already in modem mode. I'd rather go back to my old set up of an edgerouter in front of the netduma if I have to put it behind another device in a router mode.

I just came to the forums looking for a solution that avoided that. It would be good if we had a way of blocking ports on the netduma and dropping traffic from the outside so it looks like there is no response on them. Its impossible to achieve full stealth ports on the netduma , so someone can see a device is there if they ping certain ports. Image shows a port scan on the netduma sat behind the superhub in modem mode , and shows closed ports (blue) that are responding. (when no devices are in DMZ, ports 138 ,139 and 445 are still not in stealth but the rest are good). When using the edgerouter in front of the netduma its fully green showing all ports in stealth. Which is the preferred outcome.

I was just trying out the new firmwares on the R2 , it used to crash daily for me in the past requiring a daily reboot when I was using the netduma to control my full network but does seem much improved now.

I just have this virginmedia multicast warning  issue now.

 

[Netduma Fraser]

Thinking about it actually you could do the following:

1. Disable Allow Ping in WAN Settings
2. Use Traffic Controller to block the ports for ALL devices

That could potentially work, give it a try and let us know!

[pmg]

Hi Fraser,

many thanks for that I have done as you said but just for that port 5353. I'll see if I get any more emails from them.

As a side note port scan protection really does work when dmz is not enabled , when port scan is off it shows ports as closed but when its on its shows in stealth.

Apart from it doesnt seem to work on the following ports for me 135, 139 and 445 not sure whether thats a bug ? or intentional that those 3 ports dont seem to be effected by port scan protection.

 

[Netduma Fraser]

Great let us know! I'm not sure about that actually, I'll have to ask the team about it and get back to you.