abuse off UDP out through mDNS for making tcp connect inside LAN

vdbm2
vdbm2 Posts: 6  Freshman Member
First Comment Second Anniversary
edited April 2021 in Security
Hello Security, As A huge violation I discovered something what as developper with knowledge off the hardwrae aswell, I wonder why there is no doc against the way MS ,Google,and the related apps are a threat inside user level, meaning through a "hack trick" they use UDP as all on the IP stack pool so 65535 ports sending out the use inside config so they can make a TCP connect mostly over port 443 but also 80, as these are W3C dedicated port agreements for https or http connects you get without knwowing a TCP connect that stays open as TCP is designed for , a browser standard opens 6 TCP channels both loose connect due the webserver, as his plays on the lower stack level only Zyxell can inform this , but what is our protection against this, since it is a high security issue beside isoloting every user in a VM I see no better solution, but as it's a virtual Vethernet that uses the interface these traffic can slip through the zywall as mac changing,but for zywall being invisible since it looks on real MAC devices and no virtual ones , Any solution against these "cloud" intruders, as it is no home issue but company related these mallicious code made huge losses on clients and as Zyxel is my choice off router should I place juniper as firewall so servers on zone X are better protected or is there a inside solution from Zyxel itself?

Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello vdbm2,
    As you description,
    We do not really understand what you are asking about.
    To understand your requirement, please share the more examples or list what you want to do.
    If possible, please separate each paragraph properly, so we can truly know your description.
    Charlie

  • vdbm2
    vdbm2 Posts: 6  Freshman Member
    First Comment Second Anniversary
    Maybe this can help :)  , since I have some experience on coding , as my roots are based on the community Assembly "so last event I had was 1995 Finland, closed for 3 days 24/24 and a competition off worlds "anti MS , doing hacks like the BIOS irq fooling with a result we wrote with minimal resources code execution with graphics ,sound,in realt-ime moving graphics algoritmes like a fractal.
    So we have deep inside on machine architecture OS and networks all low level 
    for TCP/IP we are working with code that runs wothout webserver , and a browser as UI
    issue is as zyxel uses Sencha's framework , as UI so do we , problem arrives that the browser is abusing hack exploits making it possible to connect a TCP port 80,443,or 8080 8008,
    As users think the are reserved ports for websites the TCP connect can open 6 channels on a site , traffic passes the zywall since DNS and NETBIOS is on zone DMZ these are catched by the zywall, 
    what people don't know is that mDNS uses UDP as outgoing but not one socket all available ones on the stack simply for bypassing the DNS landing on the app's parent DNS server so without browser open they bypass Zywall with UDP calls and the outgoing data gives the related service a free pass to TCP port 80 or 443 , 



  • Blabababa
    Blabababa Posts: 151  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    To filter those applications by filtering via ports may not be able to detect those "mean to" violate the  network, however, in your case, not sure that can application patrol help??  Since this function is able detect not port L3,L4 but also application layer packets.
  • vdbm2
    vdbm2 Posts: 6  Freshman Member
    First Comment Second Anniversary
    Blabababa said:
    To filter those applications by filtering via ports may not be able to detect those "mean to" violate the  network, however, in your case, not sure that can application patrol help??  Since this function is able detect not port L3,L4 but also application layer packets.

    shouldn't it be better saying it's microsoft itself that violates my network ? It's no question it's a "hack" exploit done by OS and browsers opening a door we all use TCP 80
    As i deserialized 3 social sniffers not by a firewall but by a recursive call they got sandboxing themself as that ended the win 10 shaking 1 minute, now this is not so difficult to code that same effect shakes all , should be a no hack attack but a release off rule 1 as it's public stays public , if i get an ip knocking too much on my WAN with some private ports i send a warning next time i send i shutdown code , but not every house hold has a gatekeeper , as that's our job to fullfill , keeping the "sh***" out off i did same 15 years ago but in a applcation that was not for public nor os , the user made use off this application and knew exactly for and why , my data was not encrypyed why should I i sended binary data that only server and client understood as it was private code , this not it's a OS that forces users to stay online by such easy to remove as the service blocks the rpc but that's not for keeping the OS healthy this is the farmost biggest attack but nobody sees it?As a insider off win10 they dunno who they have against them, I even open did a public warning last tear that the release could not be done , that was a first confont but lead more and more to really a release creators that made 4 million coders unable to debug for 3 weeks

    As this was agreed not to do since delpji/C++ builders IDE wasn't ready for the change they did 
    now i don't use a debugger as i code low level , only bug is myself,

    i posted inside direct first as warning , was serious as MS called me if I wanted to explain it to HQ in US, line went over call suddenly was broken,did i diged too far? I have a version that next release will be not in iso deployed, but uses the vEthernet switch on a virtual lan port that uses the USB channel for

    neirby streams this neirby becomes a public hotspot , before they stole bandwidth in time slots 3am and not hidden just a endless task rule, so swipe no updates , that rule stays,

    and news channels talking about organized DoS attacks by organized hackers? So Greenpeace are criminals in nature as hackers are for IT? so napster was illegal but itunes 30% commision is ok? it's a joke , but i' not laughing , hope this open some coders as we are not for sale but when i go into hack mode it's seeking where I failed now ya just open a powershel

    connect the interface to ip use netsh and set mode offline , as a chrome sandboxes any meta tag place this in a meta tag code travels from site to site straight in dropzeone off users as same then exec script who is then responsible?

    chrome that sandboxes data , win opening a door , the script , which is plain admin cmdlet , i've seen lot but this since Gates i thought seen all but this, well , I never ran any virus or whatever as I see faster the cycle has " got a cold"

    but kaspersky and adobe flash is not allowed? for myself is this not an issue as i did my time, but this is our area open free and giving every a possibility to learn , if that becomes as now a controlled system,

    then i take frst plane straight north korea since then i know i live in a country that prohibits me to learn , or protects me to be poluted?

    I posted this same on ms insider forum as soon i pressed submit my post was grabbed and seen as "spam" but that spam was in 3secs gone , I have a running investagtion formal by DNS.BE against MS and google as they sandboxed a A domain , know the dnsmaster called me asking how and as I was in start off analog internet connects , he knew me since i spreaded accounts into companys under subcontractor,

    but no law government or whatever can stop this beside the community itself as we have more knowledge but that is a cleansweep that stands couple days and reenters ,

    maybe i'm dreaming a nightmare but I don't need tcp/IP as network ,can easy move i even don't need a WAN , But I do need peace in mind , as I don't want my children living in a game where puppeteer is google (puppeteer is a framework)

    since 95 i'm member of borland my account vdbm2, these days i see my account on twitter,facebook, skype, all I never use or even entered, now i have more aka , but when you see suddenly a profile formed by content off my track, must say,damn good coded, but I run a critical system and don't need attention nor publicity, as it leads like I have a ghost but people believe what they see , similar like those fu"" off cyber crime arresting people based on the IP and child porn, but they don't check the fysical layer like the MAC as this is prove not the ip transfer code as fragment, but even that is bogus as a VM

    has a choice to change static MAC or dynamic so the zyxell i bind on MAC also the VM how manny admins even can setup a neat network? if ya talk full,half duplex,shielded ,cat , inbound balancing ,rountrip , they say what? you use ethernet cable, we have fibre, is no issue for us

    In my sector that employes 250000 people and 4.7 billion that is so critical as it uptime must be 365 100% , I had last week a client that was litterly a broken man , all coused by bad config and poluted OS , and this is high tech so few have these skills to react but instead injecting indivudal resources against this , we can also terminate it as we agree this on public way then it will be a standard and for those the choice dark,poluted or public , I choose public where DNS is the path for the package, we don't need ipv6 or is suddenly every connect done without routers? but ip6 few can process that traffic , as it is not needed why ship it into the OS? even for cloudbased systems it has no value but is standard added on the OS ethernet as protocol , last 3 months I didn't wrote a single code line but got glued on my chair 24/24 constantly reset the services that else causes a hardwrae shutdown by the IMM , is not even not my task so clients need a coder helping the network not to fall , ya can check if ya like one www.hukra.com, i know more commong and sayd he has to decide cause i need back to code as else the system will collapse, so said , luckily I have connections but I had to approach IBM US for a bare metal setup in no time so we can shift out the critical system into a private server dedicated , monthly 1500$ (as same I sell for 600$ ) but I can do this , how many are binded on sevral systems in high level, that's not easy shift, and go , 2017 60% ovecost on falldowns , running mulyinationals as a machine the time they say go ? And my knowledge alone as you say L2 L3 , i know what you mean but i don't use it , so i know the x86 architecture all off tcp and udp ,wi32api , but SIP, ALG,SFTP, UpnP, i know but didn't do deep research like on tcp/ip or ipx/spx , I even don't need an OS to run the critical code , but that's all great , end-users have pictures they care but those need to be able to connect else ya loose, as we secure our inside the gap between users becomes greater and browsers gonna be deciding on their rules a chrome wll not connect to a msn and this is already started for some sites , then game-over , cross platform ? Cross-over as B2B 
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Blabababa said:
    To filter those applications by filtering via ports may not be able to detect those "mean to" violate the  network, however, in your case, not sure that can application patrol help??  Since this function is able detect not port L3,L4 but also application layer packets.
    Hi togehter,
    i think @Blabababa you are right. it's possible to block unwanted services by useint the layer7 feater on a USG. Spotify has several activities that can be blocked by a USG (see seceenshot) but you require the license to get the feature activated on a USG.



    ich this example, the service is not blocked, cause the profile has this service not locked.

    Regards
    Christian
  • vdbm2
    vdbm2 Posts: 6  Freshman Member
    First Comment Second Anniversary
    you're completely right, but one thing ? Off all IT how manny really knows what's going on? As that move to https is for security reasons? hahha, I have no issue that an uri get's catched , Chrome sandboxes every meta so what is the real issue here ? Should we invest now more cpu and memory into a security against an OS and Browser causing these gaps? As all is non dns related it's very difficult to reject or re-attack:) but one thing you definitly nail, cache.spotify.com is used as mid serialazer for msn,WinStore,Googlecontent,Akawai,Spotify,Skype and all used by udp broadcast 5353 which is Bonjour well for me it's a f"***"" ho""rr" , abusing UDP for sending the ns servers so they can prepare for a TCP conect on what port ? yes 80 tcp 80 used for http , but the home user has no problem but we as server letting clients in litterly suck our stack pool empty , and then ya get TCP connects on port 80 , know that's no tcp/ip traffic as it uses SIP and P2P, Peer or any other way that not only brings the bandwidth OutoffBallance, but for data stores , latency and redundency destrcuted our failover SAN DS3000 IBM RAID10 , and how ?  mstsc tccp 3389 is not same as rdp 3389 with udp extender for audio endpoints, it's great as long we know what's happening, win10 is more a gaming 4k than it is an OS, and VM I use more than 10 yrs but is not easy to maintain as you make VLANS and isolate production so browsing happens on other network layer, but when the OS and browser itself runs like this, outlook is no mail client but a huge social conector, no firewall nor "hacker" can avoid this , but it took me 5mins , without any hack to make win10 look like it is, a joke, as i had no disk or IO rights , lot's exe and services couldn't run just the powershell Java -p srvc ran so office and win10 booted , but Chrome says the exe level? That's dangerous game, as I did a serialize off accounts I destroyed on other system , it litterly shaked win10 for a minute :) and Chrome ,skype,win, fell down like the easiest hack ever , but affecting global systems, everyone depends on SOAP,REST, in JSON,XML,or ODATA, no one stand still beside firefox on what a  mess it gonna be future months, As we all know a Zyxel UI is a liinux web under Sencha , know how easy is it grabbing the rules or rechanging them by a script lifting on a web script? I have actually a case running from DNS.BE against google and outlook as they sandboxed my A domain , it's since september I struggle with this finding a solution, not for my server data but the UI that in 2016 on a normall transaction day a 300mb data transfer (binary transactions so over 100000 trans a day) today I have same system but all junk passses and get 23gig over my web system, with untill today no solution , as I can isolate but then it's not sellable, if I wanna access IBM bluemix cloud on SSL VPN only IE can do this, the place a browser takees off the OS is gigantic , and I can avoid OS issues but if users want's access with browsers then i's an application that's gonna decide the performance and security..... 
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Hello @vdbm2
    i know the IBM Storage as a single/dual iSCSI device, that's attached to a iSCSI controller in one/two server/s. iSCSCI I used years ago on a unix backup system. and mstsc and rdp are useing the same stack (one at the server and RDP on the client site).
    Currently we have storages connected via LWL (dedicated Data Domains) at the servers.
    You are right by useing SSL VPN (IE only), but many firewall manufacturers also offer an SSL-VPN as a FAT client for Windows System. The update of an SSL VPN client on a remote system differs very much between the vendors. SSL_VPN is in my view nt so secure like a IPSEC AES256/SHA256 conectivity - but IPSEC require more compute load for en-/decryption of the traffic. 

    BUT
    No one can supply a 100% security . What a IT guy can do, is to customize dedicagted system to a minimum of running services (windows) to reduce the load of no required traffic.
    If you want to serve a high-protected-ara, than you require sandboxing / layer 7 / three firewall rings ... and so on. The virus variants and randsomeware has not overslept the last 10 years. Most of the companies are useing Layer 3 (not 7). Mailrelay and Internet Proxies have traffic monitoring to block unwanted data transmission.

    Layer7
    In some countries you need the "co-determination committee approval" in the customer company, because with Layer 7 you can also monitor/report user-related data.  

    So, if you required less traffic in the office lan (before transmitting the data to the data center) you had to place a layer7 firewall next to your core switch for the office lan area to deny this traffic to way to datacenter and internet sites.

    Regards
    Christian

Security Highlight