Solved

How do I stop the UDP port 5353 mDNS floods on our LAN?

Posted on 2011-02-11
11
15,552 Views
Last Modified: 2012-05-11
I've looked all over the Internet trying to find a good solution to my problem, to no avail.

Lately, we are seeing our LAN brought to its knees by mDNS floods.  

When analyzing the traffic using WireShark, I am seeing that numerous devices are broadcasting and responding using UDP port 5353 to a multicast IP address of  224.0.0.251.  

Most of these devices are laptops and PCs with iTunes installed, and the bonjour service running.  The same happens for printers with bonjour enabled, and any iPods and iPhones that connect to the wireless network.

I keep turning off Bonjour on each PC, and printer, and tell each user to disconnect their iPod or iPhone from the company wireless network, but all it takes is one person to get a new iPhone or iPod, and it starts happening again.

What can I do to track down the specific culprit (if there is one), and/or what can be done on a larger/centralized scale to avoid the micromanagement nightmare of kicking all of these devices off the network one by one?

Embedded is an image showing the traffic in WireShark.
 Wireshark Capture of mDNS flood
0
Comment
Question by:lancejackson
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 125 total points
Comment Utility
If you are in a domain, you can issue a group policy to stop the bonjour executable from executing.  This should eliminate the worst of it.

This is precisely why our company does not allow non corporate devices to access our network or hardware.  Company money and time wasted solving a problem caused by non company technology.
0
 
LVL 7

Assisted Solution

by:bclongacre
bclongacre earned 250 total points
Comment Utility
My personal recommendation is to secure your environment so that end users cannot connect devices to the network without going through your or your IT department.  When anyone can bring any device into your environment and connect it on demand, you open yourself up for huge headaches and potential liabilities.  Tracking down the source of a problem is often much more difficult when hands you do not even know about are in the cookie jar, digging around.

One way to stop this issue is to secure your wireless networks by MAC authentication, therefore restricting access to only specific devices that you have determined to be allowed.

Other potential solutions could involve possible firewall rules that affect LAN to ANY traffic related to the specific Service or Port(s), in this case UDP port 5353, to block or deny access.  These rules could potentially be applied via hardware firewall/network equipment, network intrusion prevention software, or as stated above this could also be controlled via domain policy.
0
 

Author Comment

by:lancejackson
Comment Utility
All of these are great suggestions and would probably squash the problem altogether, but I guess my follow up would be this....

The people on the network are allowed to be there, so I'm not worried about that. And, if I am not mistaken, there will be some application development going on for such devices.  So, I need to find out why this is happening, and kill the cause.

Correct me if I am wrong, but shouldn't a network be able to handle iphones, ipads and other devices that use the bonjour service without screeching to a halt?

All it takes is literally 1 new apple device, or itunes installation for the mass broadcasting to freeze our switches.

When monitoring with Wireshark, when the network is normal, and under heavy load, there might be an average of 300 packets per second, but when one of these devices enters the network, it jumps to about 1800, and connections start getting dropped.

I have seen packet flood control on my 3com switches, and I want to turn it on, but I am not sure if the packet rate control is per port or for the entire switch bank.  
0
 
LVL 22

Expert Comment

by:Matt V
Comment Utility
Bonjour is the worst piece of crap ever designed.  It is a resource and network hog that should never be.

The only other thing you can do is create some VLANs and route between them, this will contain the broadcasts to devices on each VLAN and lessen the load a little.
0
 
LVL 7

Assisted Solution

by:bclongacre
bclongacre earned 250 total points
Comment Utility
Blocking traffic on the UDP port will stop the problem without forcing the devices to not be connected to your network.  It is best practices to keep your secure networks, secure.  

You wouldn't want to have a chicken farm and let your neighbors come over and let their dogs run through it all day long would you?  I mean you could, because they dogs are supposed to be trained, but that doesn't make it a goo idea.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 125 total points
Comment Utility
Can you leverage your endpoint protection software running on all your systems? We use Symantec Endpoint Protection. We can leverage the Network Threat Protection (Fireall/IPS) portion of it to block inbound as well as outbound traffic from the host. This would be a simply outbound rule that would could create from the management console and push out to all hosts. Other vendors have the same capabilities, but I can only speak specifically about Symantec because it is what we use.

MO
0
 
LVL 1

Expert Comment

by:tacf
Comment Utility
Ugh, we're buried in these multicast packets right now as well. Surely there's a way to control these. We have a fairly open environment with lots of interns and people coming and going, in this case the Mac that's flooding our network isn't corporately owned so we're "not allowed" to touch it. The guy's there to do some work... this kind of scenario isn't uncommon. I've not found any practical solution to this, it's very frustrating.
0
 
LVL 7

Expert Comment

by:bclongacre
Comment Utility
I would compose a corporate policy related to computer and network usage, that has language included that stipulates that only company owned assets are granted full access.  Once that policy has been approved, for network and information security reasons, of course... you can take actions, through your firewall to either block the MAC address of said Mac, or you can create specific rules that block all traffic from the specified computer, except for explicitly what you want to allow.
0
 
LVL 1

Expert Comment

by:tacf
Comment Utility
Yeah... that works fine for traffic going through a firewall, but this is within the LAN. I'd need to do something like creating a guest VLAN for any non-corporate machine... which ends up being massive maintenance for ongoing stuff...

For the record: http://support.apple.com/kb/HT3789 tells how to disable the service on a Mac. But this is still not really what we need.
0
 
LVL 7

Expert Comment

by:bclongacre
Comment Utility
Does your firewall also do DHCP?  If so, you can control it that way, or you can set your DHCP server to give that MAC an address in a different scope, then control it through your firewall, by forcing it to use a gateway IP that is your firewall, to access anything else on your network.
0
 
LVL 7

Expert Comment

by:bclongacre
Comment Utility
we use a Sonicwall firewall, and I can setup LAN to LAN rules on the firewall, and even when the target computer does not directly have to pass through the firewall the rules that I have set in place are still affective.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now