Solved

How do I stop the UDP port 5353 mDNS floods on our LAN?

Posted on 2011-02-11
11
18,539 Views
Last Modified: 2012-05-11
I've looked all over the Internet trying to find a good solution to my problem, to no avail.

Lately, we are seeing our LAN brought to its knees by mDNS floods.  

When analyzing the traffic using WireShark, I am seeing that numerous devices are broadcasting and responding using UDP port 5353 to a multicast IP address of  224.0.0.251.  

Most of these devices are laptops and PCs with iTunes installed, and the bonjour service running.  The same happens for printers with bonjour enabled, and any iPods and iPhones that connect to the wireless network.

I keep turning off Bonjour on each PC, and printer, and tell each user to disconnect their iPod or iPhone from the company wireless network, but all it takes is one person to get a new iPhone or iPod, and it starts happening again.

What can I do to track down the specific culprit (if there is one), and/or what can be done on a larger/centralized scale to avoid the micromanagement nightmare of kicking all of these devices off the network one by one?

Embedded is an image showing the traffic in WireShark.
 Wireshark Capture of mDNS flood
0
Comment
Question by:lancejackson
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 125 total points
ID: 34875038
If you are in a domain, you can issue a group policy to stop the bonjour executable from executing.  This should eliminate the worst of it.

This is precisely why our company does not allow non corporate devices to access our network or hardware.  Company money and time wasted solving a problem caused by non company technology.
0
 
LVL 7

Assisted Solution

by:bclongacre
bclongacre earned 250 total points
ID: 34875381
My personal recommendation is to secure your environment so that end users cannot connect devices to the network without going through your or your IT department.  When anyone can bring any device into your environment and connect it on demand, you open yourself up for huge headaches and potential liabilities.  Tracking down the source of a problem is often much more difficult when hands you do not even know about are in the cookie jar, digging around.

One way to stop this issue is to secure your wireless networks by MAC authentication, therefore restricting access to only specific devices that you have determined to be allowed.

Other potential solutions could involve possible firewall rules that affect LAN to ANY traffic related to the specific Service or Port(s), in this case UDP port 5353, to block or deny access.  These rules could potentially be applied via hardware firewall/network equipment, network intrusion prevention software, or as stated above this could also be controlled via domain policy.
0
 

Author Comment

by:lancejackson
ID: 34875893
All of these are great suggestions and would probably squash the problem altogether, but I guess my follow up would be this....

The people on the network are allowed to be there, so I'm not worried about that. And, if I am not mistaken, there will be some application development going on for such devices.  So, I need to find out why this is happening, and kill the cause.

Correct me if I am wrong, but shouldn't a network be able to handle iphones, ipads and other devices that use the bonjour service without screeching to a halt?

All it takes is literally 1 new apple device, or itunes installation for the mass broadcasting to freeze our switches.

When monitoring with Wireshark, when the network is normal, and under heavy load, there might be an average of 300 packets per second, but when one of these devices enters the network, it jumps to about 1800, and connections start getting dropped.

I have seen packet flood control on my 3com switches, and I want to turn it on, but I am not sure if the packet rate control is per port or for the entire switch bank.  
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 22

Expert Comment

by:Matt V
ID: 34875921
Bonjour is the worst piece of crap ever designed.  It is a resource and network hog that should never be.

The only other thing you can do is create some VLANs and route between them, this will contain the broadcasts to devices on each VLAN and lessen the load a little.
0
 
LVL 7

Assisted Solution

by:bclongacre
bclongacre earned 250 total points
ID: 34875927
Blocking traffic on the UDP port will stop the problem without forcing the devices to not be connected to your network.  It is best practices to keep your secure networks, secure.  

You wouldn't want to have a chicken farm and let your neighbors come over and let their dogs run through it all day long would you?  I mean you could, because they dogs are supposed to be trained, but that doesn't make it a goo idea.
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 125 total points
ID: 34937648
Can you leverage your endpoint protection software running on all your systems? We use Symantec Endpoint Protection. We can leverage the Network Threat Protection (Fireall/IPS) portion of it to block inbound as well as outbound traffic from the host. This would be a simply outbound rule that would could create from the management console and push out to all hosts. Other vendors have the same capabilities, but I can only speak specifically about Symantec because it is what we use.

MO
0
 
LVL 1

Expert Comment

by:tacf
ID: 35209028
Ugh, we're buried in these multicast packets right now as well. Surely there's a way to control these. We have a fairly open environment with lots of interns and people coming and going, in this case the Mac that's flooding our network isn't corporately owned so we're "not allowed" to touch it. The guy's there to do some work... this kind of scenario isn't uncommon. I've not found any practical solution to this, it's very frustrating.
0
 
LVL 7

Expert Comment

by:bclongacre
ID: 35209065
I would compose a corporate policy related to computer and network usage, that has language included that stipulates that only company owned assets are granted full access.  Once that policy has been approved, for network and information security reasons, of course... you can take actions, through your firewall to either block the MAC address of said Mac, or you can create specific rules that block all traffic from the specified computer, except for explicitly what you want to allow.
0
 
LVL 1

Expert Comment

by:tacf
ID: 35209120
Yeah... that works fine for traffic going through a firewall, but this is within the LAN. I'd need to do something like creating a guest VLAN for any non-corporate machine... which ends up being massive maintenance for ongoing stuff...

For the record: http://support.apple.com/kb/HT3789 tells how to disable the service on a Mac. But this is still not really what we need.
0
 
LVL 7

Expert Comment

by:bclongacre
ID: 35209296
Does your firewall also do DHCP?  If so, you can control it that way, or you can set your DHCP server to give that MAC an address in a different scope, then control it through your firewall, by forcing it to use a gateway IP that is your firewall, to access anything else on your network.
0
 
LVL 7

Expert Comment

by:bclongacre
ID: 35209316
we use a Sonicwall firewall, and I can setup LAN to LAN rules on the firewall, and even when the target computer does not directly have to pass through the firewall the rules that I have set in place are still affective.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question