0

I recently swapped my router for a Billion 7800VDOX, and noticed some attempted connections to my iMac from external addresses. On investigation I found that a uPnP port had been opened on the router with port range 0-0 (internal and external.) This has the effect, verified with an external port scanner, of opening ALL port numbers on the router and directing them to the iMac. I deleted the mapping and ran Wireshark and captured an external address request at the same time as the mapping was restored.

Frame 496: 102 bytes on wire (816 bits), 102 bytes captured (816 bits) on interface 0
Ethernet II, Src: Apple_d0:7e:eb (d4:9a:20:d0:7e:eb), Dst: BillionE_cb:49:27 (00:04:ed:cb:49:27)
Internet Protocol Version 4, Src: 192.168.1.131, Dst: 192.168.1.254
User Datagram Protocol, Src Port: 5353 (5353), Dst Port: 5351 (5351)
Source Port: 5353
Destination Port: 5351
Length: 68
Checksum: 0x8527 [validation disabled]
[Stream index: 0]
Port Control Protocol, Map Request
Version: 2
0... .... = R: Request
.000 0001 = Opcode: Map (1)
Reserved: 0
Requested Lifetime: 7200
Client IP Address: ::ffff:192.168.1.131
Map Request
    Mapping Nonce: f88237920f8cd6c0a3765f39
    Protocol: 6
    Reserved: 0
    Internal Port: 9
    Suggested External Port: 0
    Suggested External IP Address: ::ffff:xxx.181.81.112

This was preceded by a SOAP request to get the external IP address of the router. Checking the source port (5353) with lsof I found it owned by mDNSResponder.

My assumption as to what is happening is that mDNSResponder is using this just to get the external IP address of the router, and doing so using a supposedly harmless request to map port 0, which should be an invalid port. However the Billion router is treating this as, either by design or programming error, as a request to open all ports. Turning off uPnP on the router solves the problem (even though as pointed out this is not actually uPnP.)

Anyone have any other suggestions?

Clyde
  • 185

1 Answers1

1

The packet you captured shows a Port Control Protocol (PCP: the IETF standards-track successor to NAT-PMP) port mapping request. The client port for the requested mapping is 9/TCP. The client doesn't have any suggestion for what the external port should be, so it leaves the suggested external port field set to zero. IETF RFC 6887, which defines PCP, makes clear that zero means "no suggestion" in this field.

I think whoever implemented PCP for this Billion router misread the RFC. You see, in some very limited and well-defined cases, a zero in the OTHER port field could mean "all ports". Like when the Requested Lifetime for this mapping request is zero, a zero client port would mean "delete all mappings for all ports on this client IP address".

But again, in the suggested external port field, zero is always supposed to mean "no suggestion". It is never supposed to mean "all ports" in this field.

So it seems pretty clear you've found a PCP bug in this Billion router.

One other weird thing here is the client port. Traditionally, 9/TCP is the discard service's port, but the discard service is deprecated, so I'm not sure who'd be running it any more, or why anything would be requesting a port mapping for it.

As for why mDNSResponder is sending these requests, it's simply because mDNSResponder acts as the PCP/NAT-PMP/UPnP daemon on macOS in addition to its usual mDNS, DNS-SD, and DNS resolver duties. When any process on macOS triggers the system to request a port mapping from the router, it's always mDNSResponder's job to create and send the actual port mapping request packets.

Spiff
  • 110,156