[avahi] Linsys E4200: Received response with invalid source port

Eric Martel shrodi+avahi at gmail.com
Mon Oct 3 07:36:14 PDT 2011 

Interesting opinion from a Cisco expert (I replaced non-useful text by "[...]");
what do you thing of the possible security risks? I copied my original post on
this list at the bottom for easier reference.

<-- BEGIN OPINION -->

Again. The RFC says "MUST silently ignore".

avahi doesn't ignore it silently. It does something about which is not silent. [...]

They should ignore it. Don't log anything. If they think it's beneficial for
debugging, they should offer a configuration option that allows to enable more
verbose logging and only then log the messages.

[...]

On the contrary: logging these messages could be use for a denial of service
attack. It's a very easy way to generate log entries and thus fill up disk
space. Send mdns packages with invalid source ports to the avahi daemon as fast
as you can...

Thus, with very good reason the RFC says it should be silently ignored.
Incorrect packets should not do anything. They should not appear anywhere unless
you specifically ask for this information, e.g. during debugging...

[...]

<-- END OPINION -->


Le 2011-07-18 14:12, Christiano F. Haesbaert a écrit :
> On 18 July 2011 15:01, Eric Martel <shrodi+avahi at gmail.com> wrote:
>> But doesn't the draft also specify that "Multicast DNS implementations
>> MUST silently ignore any Multicast DNS Responses they receive where the
>> source UDP port is not 5353."? Shouldn't avahi therefore ignore thos
>> responses instead of reporting them? Is there a way for me to tell it so?
>>
> It is ignoring, in the way that is not considering it a valid answer,
> but it is reporting.
>
> Now "silent" I'd say it's just semantics, it's nice to have a warning
> or a message that "something weird is happening", it does not affect
> the system at all. When the draft says "silently" it implies "nothing
> should be done", logging the event is a nice thing IMHO, you would
> spend a lot more time to conclude this fact if it was not for the
> reporting.
>
> Use tcpdump and verify that avahi is correct (ie: source port is
> wrong), if it is, it's your router's fault.
> I don't know much of avahi, I only know mdns quite well.
> _______________________________________________
> avahi mailing list
> avahi at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/avahi


On 18 July 2011 11:50, Eric Martel <shrodi+avahi at gmail.com> wrote:

> (Please tell me if this is not the good place to ask this question)
>
> Hi,
>
> I just changed my router from a D-Link DI-624 to a Cisco Linksys E4200.
> Almost instantly, all of my Linux syslogs (I run many computers on my
> network, some Mandriva, others Ubuntu, different versions) began being
> clogged (every 30 seconds) with messages such as the following:
>
>    Jul 18 08:53:42 myhost avahi-daemon[7054]: Received response from
> host 192.168.1.1 with invalid source port 32768 on interface 'eth1.0'
>
> where 192.168.1.1 is the address of the router.
>
> The only apparently relevant post I found on the Internet is at
> http://homecommunity.cisco.com/t5/Wireless-Routers/Received-response-from-host-router-IP-address-with-invalid/td-p/405931,
> with an interesting and detailed technical insight at what might be
> going wrong, but with no solution offered. This post hints at errors
> that would be both on the side of the router and Avahi (but I can't tell
> since I'm a total newb in that mDNS thingy).
>
> Contacting Linksys tech support was (big surprise...) a dead end for me,
> so I thought I might turn for your help guys: is there anything I can do
> from the avahi-daemon point of view to at least prevent that specific
> message from clogging my syslogs, but without disabling avahi-daemon
> since I use it? Or can anybody think of something (generally speaking) I
> could configure on the router to prevent this?
>
> Thanks!
> _______________________________________________
> avahi mailing list
> avahi at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/avahi
>
_______________________________________________
avahi mailing list
avahi at lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/avahi

More information about the avahi mailing list