Skip to main content

Get off my lawn, DMZ edition.

Author
Jeffrey Forman

I recently changed Internet providers from Comcast Business to Verizon Fios connection. As part of the Fios package, are TV Set Top Boxes (STB) which use coax for Video, and Internet via MOCA for the guide data. It made me curious, what kind of traffic were these things sending on the network? What would they be trying to access? And how hard would it be to DMZ these things off from the rest of my wired/wifi network given I have no idea what they are up to. Behold, a DMZ configuration Requirements:

  • Cable boxes need to get out to the Internet.
  • Cable boxes should not be able to touch anything else network-wise inside my house but what’s inside the DMZ
  • My wifi/wired networks should be able to initiate connections to the DMZ devices. For science of course (but more for seeing what they are doing).

I run a standard OpenBSD firewall/router, with a physical NIC to connect to Fios ($ext_if), and the NIC to connect to my DMZ ($dmz_if) the NIC responding for the DMZ VLAN ($dmz_vlan) interface. I knew the PF rules change had to be simple. Behold, the entirety of the diff of my rules to make the above happen:

# DMZ Rules dmz_if = “em4” dmz_vlan = “vlan254” table <dmz_net> { 10.10.254.0/24 } pass in on $dmz_vlan inet pass out on $ext_if inet from $dmz_vlan:network to any nat-to ($ext_if) block out log (all) on !$ext_if from $dmz_vlan:network

The most important line is the very last one. In prose, “Block all connections from the network attached to the DMZ VLAN, that go out any interface but the one connected to Fios itself.” So a connection trying to traverse the DMZ VLAN interface bound for my internal wired network, would be blocked and logged. Now that I had the traffic segregated, I wanted to see what the STB’s are doing.

# tcpdump -vvv -i vlan254 tcpdump: listening on vlan254, link-type EN10MB 06:17:44.654550 10.10.254.201 > 10.10.254.1: icmp: echo request (id:0000 seq:0) [icmp cksum ok] [ttl 1] (id 51445, len 28) 06:17:44.654634 10.10.254.1 > 10.10.254.201: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 255, id 22245, len 28)

Pinging the gateway, perhaps to check for connectivity?

06:17:58.909487 10.10.254.201.ssdp > 239.255.255.250.ssdp: udp 316 (DF) (ttl 2, id 0, len 344) 06:17:58.931975 10.10.254.201.ssdp > 239.255.255.250.ssdp: udp 359 (DF) (ttl 2, id 0, len 387)

What’s SSDP you ask? According to Wireshark.org, it stands for Simple Service Discovery Protocol. Looking at the actual SSDP packet, it has a URL (http://$stb:9999/upnp_descriptor_0) for an STB-running webserver, and even a Linux kernel version (2.6.24-1.2.61.1_full_highmem).

22:57:08.200426 10.10.254.201.ssdp > 239.255.255.250.ssdp: [udp sum ok] udp 373 (DF) (ttl 2, id 0, len 401) 0000: 4500 0191 0000 4000 0211 7e8e 0a0a fec9 E…..@…~….. 0010: efff fffa 076c 076c 017d bf45 4e4f 5449 …..l.l.}.ENOTI 0020: 4659 202a 2048 5454 502f 312e 310d 0a48 FY * HTTP/1.1..H 0030: 4f53 543a 2032 3339 2e32 3535 2e32 3535 OST: 239.255.255 0040: 2e32 3530 3a31 3930 300d 0a43 4143 4845 .250:1900..CACHE 0050: 2d43 4f4e 5452 4f4c 3a20 6d61 782d 6167 -CONTROL: max-ag 0060: 653d 3132 300d 0a4c 4f43 4154 494f 4e3a e=120..LOCATION: 0070: 2068 7474 703a 2f2f 3130 2e31 302e 3235 http://10.10.25 0080: 342e 3230 313a 3939 3939 2f75 706e 705f 4.201:9999/upnp_ 0090: 6465 7363 7269 7074 6f72 5f30 0d0a 4e54 descriptor_0..NT 00a0: 3a20 7572 6e3a 7363 6865 6d61 732d 7570 : urn:schemas-up 00b0: 6e70 2d6f 7267 3a73 6572 7669 6365 3a43 np-org:service:C 00c0: 6f6e 6e65 6374 696f 6e4d 616e 6167 6572 onnectionManager 00d0: 3a31 0d0a 4e54 533a 2073 7364 703a 616c :1..NTS: ssdp:al 00e0: 6976 650d 0a53 4552 5645 523a 204c 696e ive..SERVER: Lin 00f0: 7578 2f32 2e36 2e32 342d 312e 322e 3631 ux/2.6.24-1.2.61 0100: 2e31 5f66 756c 6c2d 6869 6768 6d65 6d20 .1_full-highmem 0110: 5550 6e50 2f31 2e30 2043 6973 636f 2d55 UPnP/1.0 Cisco-U 0120: 506e 502f 312e 382e 3232 350d 0a55 534e PnP/1.8.225..USN 0130: 3a20 7575 6964 3a33 3033 3730 3637 362d : uuid:40370676- 0140: 3164 6432 2d31 3162 322d 3966 3432 2d39 1dd2-1112-9f42-9 0150: 6666 3464 3065 6562 3431 623a 3a75 726e ff4d0efg41b::urn 0160: 3a73 6368 656d 6173 2d75 706e 702d 6f72 :schemas-upnp-or 0170: 673a 7365 7276 6963 653a 436f 6e6e 6563 g:service:Connec 0180: 7469 6f6e 4d61 6e61 6765 723a 310d 0a0d tionManager:1… 0190: 0a .

What is the output of that URL?

$ curl -s http://10.10.254.201:9999/upnp_descriptor_0 | xmllint –format -

1 0 urn:schemas-upnp-org:device:MediaServer:1 FIOSTV\_C0C68742EAEE Cisco http://www.cisco.com HD Set-top Cisco CHS335HD www.cisco.com XXCFXXSXX uuid:40370676-1dd2-1112-9f42-9ff4d0efg41b urn:schemas-upnp-org:service:ContentDirectory:1 urn:upnp-org:serviceId:ContentDirectory /upnp\_control\_0 /upnp\_event\_0 /scpd/ContentDirectory\_DMS urn:schemas-upnp-org:service:ConnectionManager:1 urn:upnp-org:serviceId:ConnectionManager /upnp\_control\_1 /upnp\_event\_1 /scpd/ConnectionManager\_DMS DMS-1.50 audio-upload,image-upload,av-upload,create-child-container

I have no knowledge of DLNA, SSDP, or any of the other parameters in this XML but I can only assume it has to do with media sharing of what’s stored on the STB. I did trace down that model number CHS335HD, and found it’s the Fios HD STB, not the DVR I have in my home. I’ll be curious about doing some digging into see about an API to watch saved shows from across the network. More to come as I segregate off more traffic of my home network. For now I am glad to have a couple devices I don’t have control over, ‘off’ my network.