• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 25759
  • Last Modified:

How do I stop the UDP port 5353 mDNS floods on our LAN?

I've looked all over the Internet trying to find a good solution to my problem, to no avail.

Lately, we are seeing our LAN brought to its knees by mDNS floods.  

When analyzing the traffic using WireShark, I am seeing that numerous devices are broadcasting and responding using UDP port 5353 to a multicast IP address of  224.0.0.251.  

Most of these devices are laptops and PCs with iTunes installed, and the bonjour service running.  The same happens for printers with bonjour enabled, and any iPods and iPhones that connect to the wireless network.

I keep turning off Bonjour on each PC, and printer, and tell each user to disconnect their iPod or iPhone from the company wireless network, but all it takes is one person to get a new iPhone or iPod, and it starts happening again.

What can I do to track down the specific culprit (if there is one), and/or what can be done on a larger/centralized scale to avoid the micromanagement nightmare of kicking all of these devices off the network one by one?

Embedded is an image showing the traffic in WireShark.
 Wireshark Capture of mDNS flood
0
lancejackson
Asked:
lancejackson
  • 5
  • 2
  • 2
  • +2
4 Solutions
 
Matt VCommented:
If you are in a domain, you can issue a group policy to stop the bonjour executable from executing.  This should eliminate the worst of it.

This is precisely why our company does not allow non corporate devices to access our network or hardware.  Company money and time wasted solving a problem caused by non company technology.
0
 
bclongacreCommented:
My personal recommendation is to secure your environment so that end users cannot connect devices to the network without going through your or your IT department.  When anyone can bring any device into your environment and connect it on demand, you open yourself up for huge headaches and potential liabilities.  Tracking down the source of a problem is often much more difficult when hands you do not even know about are in the cookie jar, digging around.

One way to stop this issue is to secure your wireless networks by MAC authentication, therefore restricting access to only specific devices that you have determined to be allowed.

Other potential solutions could involve possible firewall rules that affect LAN to ANY traffic related to the specific Service or Port(s), in this case UDP port 5353, to block or deny access.  These rules could potentially be applied via hardware firewall/network equipment, network intrusion prevention software, or as stated above this could also be controlled via domain policy.
0
 
lancejacksonAuthor Commented:
All of these are great suggestions and would probably squash the problem altogether, but I guess my follow up would be this....

The people on the network are allowed to be there, so I'm not worried about that. And, if I am not mistaken, there will be some application development going on for such devices.  So, I need to find out why this is happening, and kill the cause.

Correct me if I am wrong, but shouldn't a network be able to handle iphones, ipads and other devices that use the bonjour service without screeching to a halt?

All it takes is literally 1 new apple device, or itunes installation for the mass broadcasting to freeze our switches.

When monitoring with Wireshark, when the network is normal, and under heavy load, there might be an average of 300 packets per second, but when one of these devices enters the network, it jumps to about 1800, and connections start getting dropped.

I have seen packet flood control on my 3com switches, and I want to turn it on, but I am not sure if the packet rate control is per port or for the entire switch bank.  
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
Matt VCommented:
Bonjour is the worst piece of crap ever designed.  It is a resource and network hog that should never be.

The only other thing you can do is create some VLANs and route between them, this will contain the broadcasts to devices on each VLAN and lessen the load a little.
0
 
bclongacreCommented:
Blocking traffic on the UDP port will stop the problem without forcing the devices to not be connected to your network.  It is best practices to keep your secure networks, secure.  

You wouldn't want to have a chicken farm and let your neighbors come over and let their dogs run through it all day long would you?  I mean you could, because they dogs are supposed to be trained, but that doesn't make it a goo idea.
0
 
Michael OrtegaSales & Systems EngineerCommented:
Can you leverage your endpoint protection software running on all your systems? We use Symantec Endpoint Protection. We can leverage the Network Threat Protection (Fireall/IPS) portion of it to block inbound as well as outbound traffic from the host. This would be a simply outbound rule that would could create from the management console and push out to all hosts. Other vendors have the same capabilities, but I can only speak specifically about Symantec because it is what we use.

MO
0
 
tacfCommented:
Ugh, we're buried in these multicast packets right now as well. Surely there's a way to control these. We have a fairly open environment with lots of interns and people coming and going, in this case the Mac that's flooding our network isn't corporately owned so we're "not allowed" to touch it. The guy's there to do some work... this kind of scenario isn't uncommon. I've not found any practical solution to this, it's very frustrating.
0
 
bclongacreCommented:
I would compose a corporate policy related to computer and network usage, that has language included that stipulates that only company owned assets are granted full access.  Once that policy has been approved, for network and information security reasons, of course... you can take actions, through your firewall to either block the MAC address of said Mac, or you can create specific rules that block all traffic from the specified computer, except for explicitly what you want to allow.
0
 
tacfCommented:
Yeah... that works fine for traffic going through a firewall, but this is within the LAN. I'd need to do something like creating a guest VLAN for any non-corporate machine... which ends up being massive maintenance for ongoing stuff...

For the record: http://support.apple.com/kb/HT3789 tells how to disable the service on a Mac. But this is still not really what we need.
0
 
bclongacreCommented:
Does your firewall also do DHCP?  If so, you can control it that way, or you can set your DHCP server to give that MAC an address in a different scope, then control it through your firewall, by forcing it to use a gateway IP that is your firewall, to access anything else on your network.
0
 
bclongacreCommented:
we use a Sonicwall firewall, and I can setup LAN to LAN rules on the firewall, and even when the target computer does not directly have to pass through the firewall the rules that I have set in place are still affective.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now