Bonjour/Multicast DNS flooding



  • Hey guys, we've had this issue come up before and couldn't find a solution, today it's come back. We have one particular Mac OS X machine that periodically floods our network with multicast DNS packets. The destination is 224.0.0.251 (multicast address), and it's UDP traffic. I believe it's part of the Bonjour discovery service.

    I can't figure out how to handle this traffic, it's overwhelming my firewall (and it's happened in the past). The default rule blocks the traffic, but so I guess it's more of a switching issue (and nothing in pfsense)… something about how we handle multicast traffic within the LAN? I'd really appreciate if someone can advise me here. This client has sent 16GB in the last 2 hours alone.  "But I'm not even surfing the web!" he says.



  • I want to clarify that I know this is not a pfSense issue, I'm just really looking for some network advice here. Is this just a malfunctioning client, or can I do something to prevent this kind of thing from happening within my network?



  • do you even have enough bandwidth that he could upload that much data in that short of time? also, the default rule would not block any outbound traffic.  I think one of us is a little confused.  :D

    Roy…



  • Is the problem, that your firewall log is filled up?
    This is purely cosmetic.
    You could create a firewall rule at the top which blocks and doesn't log.
    What do you mean that the client sent 16GB in 2 hours?
    How did you measure this?



  • I'm taking that number from BandwidthD and/or from Darkstat. Both tools report the amount of traffic that he's sending out, however the traffic is not going beyond the firewall, it's just flooding my network internally. We managed to change some settings on his machine to stop Bonjour from sending out multicast broadcasts, but this kind of thing is still a concern for me.

    The actual problem is twofold. When this traffic starts sending out, my whole network slows down due to the rate of packets. The second issue is that the rate of packets is so high that my pfsense box seems to quake under the pressure. I start seeing all kinds of latency throughout the network and other staff's internet usage becomes very slow. As soon as we disconnect this one client, everything returns to normal. And again, this is not a rogue user doing something he shouldn't… it's functionality within OS X's Bonjour service.

    How do other people control traffic flooding within their LAN? Do you segregate everything into VLANs? We've really only concidered this for VoIP. We're using a /22 for all our servers, network gear and client machines.



  • I've just had a discussion with a colleague about what could cause this.
    His impression is that this client has probably running a very bad coded piece of software.

    His explanation is that usually with mDNS the software requests an initial list of whatever it wants to know and then gets notified by the system if something changes.
    If this software now constantly sends requests instead of waiting for updates it could lead to the described behaviour.

    Could you look at the mDNS requests to see what is being asked for?
    And then look on the computer in question which process sends these requests?



  • As far as we're aware he wasn't running anything other than the standard OS X apps. It appeared to be the system Bonjour discovery process, though I suppose it could have been generated by an application that was causing the service to misfire. I'm afraid I lack the expertise to know how to look at the requests. Would I use something like WireShark to do that? Or pfSense packet capture?



  • Yes looking at it with wireshark is probably the easiest.
    The frames in question should all be marked as mDNS under "Protocol"



  • 16 gigs in 2 hours translates to roughly 2MB/s of traffic. This is well beyond what normal Bonjour multicast discovery is about.

    Check his machine (look at the network activity in activity monitor), it either shows constant 2MB/s of traffic on the lan port, or something else is really fishy.

    Anyway, this looks like a misconfigured client.


Log in to reply