Or: How to Make your Apple quiet
Many security professionals gravitate towards grey laptops milled from a solid block of alumin(i)um. Apple computers are actually not the safest systems to plug into sensitive control networks. The biggest reason for this is part of what makes them lovely: Rendezvous (aka zeroconf networking or Bonjour).
When a stock Macintosh is connected to a network, it immediately starts issuing multicast UDP/IP packets which announce the services running on the computer. This is how, for example, a Macintosh automatically builds a list of other computers on a network, allows for iTunes library sharing, automatic filesharing discovery, etc.
Quite a few vendors use multicast addresses for fairly important functionality — for example, IEC-61850 uses multicast traffic for peer discovery and at least one vendor uses a multicast protocol for determining the live link on their redundant Ethernets. Some embedded control systems products are poorly-written enough that an Apple’s unexpected messages could cause trouble. I have yet to see something die from the multicast announcements that a Mac makes, but I really don’t want to — especially not on a client’s live network. I thought that a writeup on how to get around Apple’s cute protocol is in order. Friends don’t let friends trash live control systems, after all.
I use three primary methods of defeating Apple, depending on what test I am running and how paranoid I feel about equipment on the target network.
Method 1: Disable multicast announcements
The first is to disable Zeroconf itself. I recommend doing this in addition to the other methods listed here, because it also makes you a bit more secure when using untrusted networks and can prevent accidents when using other methods.
mDNSResponder is the OS X process responsible for zeroconf. Apple changed the way their mDNSResponder application works starting with Snow Leopard. In Snow Leopard and Lion, it is responsible for normal DNS resolution as well as zeroconf, so the service can no longer just be disabled as it could in Leopard and prior versions of OS X.