Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

mDNS Can Be Used to Amplify DDoS Attacks: Researcher

Some multicast Domain Name System (mDNS) implementations respond to unicast queries coming from outside the local link. A researcher has determined that this behavior can be exploited for information disclosure and amplifying distributed denial-of-service (DDoS) attacks.

Some multicast Domain Name System (mDNS) implementations respond to unicast queries coming from outside the local link. A researcher has determined that this behavior can be exploited for information disclosure and amplifying distributed denial-of-service (DDoS) attacks.

mDNS is a zero-configuration service designed to resolve host names to IP addresses. It is used on local networks for device and service discovery, and it can be found in devices such as printers, phones, and network-attached storage (NAS) systems. mDNS daemons are available for Windows, OS X and Linux operating systems.

“Multicast DNS and DNS service discovery daemons deployed on various systems across the Internet are misconfigured and reply to queries targeting their unicast addresses, including requests from their WAN interface,” security researcher Chad Seaman explained in a write-up published on GitHub.

There may be some use cases where this is needed, but RFC 6762 recommends that unicast queries originating from outside the local link should be ignored if their source can’t be verified.

Seaman has scanned the Internet and discovered more than 100,000 devices responding to mDNS queries targeting their unicast address, including printers, NAS devices, and machines running Windows and Linux.

“Some of these machines were located on larger networks such as corporations and universities, and appeared to be poorly secured, if secured at all,” the expert noted.

According to Seaman, an attacker can leverage these queries to obtain sensitive information such as network, administration, and device details. In addition to information leakage, a malicious actor can also leverage misconfigured systems to amplify DDoS attack because the size of the response can be much larger than the size of the query.

“An attacker can expect at least a 1:1 reflection, in some of my testing, some services amplified by as much as 975%. The true amplification rate is hard to predict since the replies vary a lot based on server configuration and the size of the query packet itself, which changes based on the service being queried, but a safe estimate would be around 130%+ amplification on average,” the researcher said.

Advertisement. Scroll to continue reading.

Seaman and the CERT Coordination Center at Carnegie Mellon University have advised organizations to block UDP traffic on port 5353. In some cases, mDNS services can be disabled from the software or the device.

The issue has been found to affect the Avahi implementation (versions prior to 0.6.31), which is shipped with most Linux distributions, Canon MG6200 series printers, and previous generations of HP printing products.

IBM has released patches to resolve the vulnerability in IBM Security Access Manager for Web. According to an advisory, a remote attacker can extract information from the mDNS service by sending specially crafted UDP packets.

Products from several other companies might also be affected. However, Seaman says some vendors have already stated that they will not fix the issue in older devices.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.