[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How do I stop the UDP port 5353 mDNS floods on our LAN?

Posted on 2011-02-11
11
Medium Priority
?
23,977 Views
Last Modified: 2012-05-11
I've looked all over the Internet trying to find a good solution to my problem, to no avail.

Lately, we are seeing our LAN brought to its knees by mDNS floods.  

When analyzing the traffic using WireShark, I am seeing that numerous devices are broadcasting and responding using UDP port 5353 to a multicast IP address of  224.0.0.251.  

Most of these devices are laptops and PCs with iTunes installed, and the bonjour service running.  The same happens for printers with bonjour enabled, and any iPods and iPhones that connect to the wireless network.

I keep turning off Bonjour on each PC, and printer, and tell each user to disconnect their iPod or iPhone from the company wireless network, but all it takes is one person to get a new iPhone or iPod, and it starts happening again.

What can I do to track down the specific culprit (if there is one), and/or what can be done on a larger/centralized scale to avoid the micromanagement nightmare of kicking all of these devices off the network one by one?

Embedded is an image showing the traffic in WireShark.
 Wireshark Capture of mDNS flood
0
Comment
Question by:lancejackson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 500 total points
ID: 34875038
If you are in a domain, you can issue a group policy to stop the bonjour executable from executing.  This should eliminate the worst of it.

This is precisely why our company does not allow non corporate devices to access our network or hardware.  Company money and time wasted solving a problem caused by non company technology.
0
 
LVL 7

Assisted Solution

by:bclongacre
bclongacre earned 1000 total points
ID: 34875381
My personal recommendation is to secure your environment so that end users cannot connect devices to the network without going through your or your IT department.  When anyone can bring any device into your environment and connect it on demand, you open yourself up for huge headaches and potential liabilities.  Tracking down the source of a problem is often much more difficult when hands you do not even know about are in the cookie jar, digging around.

One way to stop this issue is to secure your wireless networks by MAC authentication, therefore restricting access to only specific devices that you have determined to be allowed.

Other potential solutions could involve possible firewall rules that affect LAN to ANY traffic related to the specific Service or Port(s), in this case UDP port 5353, to block or deny access.  These rules could potentially be applied via hardware firewall/network equipment, network intrusion prevention software, or as stated above this could also be controlled via domain policy.
0
 

Author Comment

by:lancejackson
ID: 34875893
All of these are great suggestions and would probably squash the problem altogether, but I guess my follow up would be this....

The people on the network are allowed to be there, so I'm not worried about that. And, if I am not mistaken, there will be some application development going on for such devices.  So, I need to find out why this is happening, and kill the cause.

Correct me if I am wrong, but shouldn't a network be able to handle iphones, ipads and other devices that use the bonjour service without screeching to a halt?

All it takes is literally 1 new apple device, or itunes installation for the mass broadcasting to freeze our switches.

When monitoring with Wireshark, when the network is normal, and under heavy load, there might be an average of 300 packets per second, but when one of these devices enters the network, it jumps to about 1800, and connections start getting dropped.

I have seen packet flood control on my 3com switches, and I want to turn it on, but I am not sure if the packet rate control is per port or for the entire switch bank.  
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 22

Expert Comment

by:Matt V
ID: 34875921
Bonjour is the worst piece of crap ever designed.  It is a resource and network hog that should never be.

The only other thing you can do is create some VLANs and route between them, this will contain the broadcasts to devices on each VLAN and lessen the load a little.
0
 
LVL 7

Assisted Solution

by:bclongacre
bclongacre earned 1000 total points
ID: 34875927
Blocking traffic on the UDP port will stop the problem without forcing the devices to not be connected to your network.  It is best practices to keep your secure networks, secure.  

You wouldn't want to have a chicken farm and let your neighbors come over and let their dogs run through it all day long would you?  I mean you could, because they dogs are supposed to be trained, but that doesn't make it a goo idea.
0
 
LVL 16

Assisted Solution

by:Michael Ortega
Michael Ortega earned 500 total points
ID: 34937648
Can you leverage your endpoint protection software running on all your systems? We use Symantec Endpoint Protection. We can leverage the Network Threat Protection (Fireall/IPS) portion of it to block inbound as well as outbound traffic from the host. This would be a simply outbound rule that would could create from the management console and push out to all hosts. Other vendors have the same capabilities, but I can only speak specifically about Symantec because it is what we use.

MO
0
 
LVL 1

Expert Comment

by:tacf
ID: 35209028
Ugh, we're buried in these multicast packets right now as well. Surely there's a way to control these. We have a fairly open environment with lots of interns and people coming and going, in this case the Mac that's flooding our network isn't corporately owned so we're "not allowed" to touch it. The guy's there to do some work... this kind of scenario isn't uncommon. I've not found any practical solution to this, it's very frustrating.
0
 
LVL 7

Expert Comment

by:bclongacre
ID: 35209065
I would compose a corporate policy related to computer and network usage, that has language included that stipulates that only company owned assets are granted full access.  Once that policy has been approved, for network and information security reasons, of course... you can take actions, through your firewall to either block the MAC address of said Mac, or you can create specific rules that block all traffic from the specified computer, except for explicitly what you want to allow.
0
 
LVL 1

Expert Comment

by:tacf
ID: 35209120
Yeah... that works fine for traffic going through a firewall, but this is within the LAN. I'd need to do something like creating a guest VLAN for any non-corporate machine... which ends up being massive maintenance for ongoing stuff...

For the record: http://support.apple.com/kb/HT3789 tells how to disable the service on a Mac. But this is still not really what we need.
0
 
LVL 7

Expert Comment

by:bclongacre
ID: 35209296
Does your firewall also do DHCP?  If so, you can control it that way, or you can set your DHCP server to give that MAC an address in a different scope, then control it through your firewall, by forcing it to use a gateway IP that is your firewall, to access anything else on your network.
0
 
LVL 7

Expert Comment

by:bclongacre
ID: 35209316
we use a Sonicwall firewall, and I can setup LAN to LAN rules on the firewall, and even when the target computer does not directly have to pass through the firewall the rules that I have set in place are still affective.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question