Security Experts:

mDNS Can Be Used to Amplify DDoS Attacks: Researcher

Some multicast Domain Name System (mDNS) implementations respond to unicast queries coming from outside the local link. A researcher has determined that this behavior can be exploited for information disclosure and amplifying distributed denial-of-service (DDoS) attacks.

mDNS is a zero-configuration service designed to resolve host names to IP addresses. It is used on local networks for device and service discovery, and it can be found in devices such as printers, phones, and network-attached storage (NAS) systems. mDNS daemons are available for Windows, OS X and Linux operating systems.

“Multicast DNS and DNS service discovery daemons deployed on various systems across the Internet are misconfigured and reply to queries targeting their unicast addresses, including requests from their WAN interface,” security researcher Chad Seaman explained in a write-up published on GitHub.

There may be some use cases where this is needed, but RFC 6762 recommends that unicast queries originating from outside the local link should be ignored if their source can’t be verified.

Seaman has scanned the Internet and discovered more than 100,000 devices responding to mDNS queries targeting their unicast address, including printers, NAS devices, and machines running Windows and Linux.

“Some of these machines were located on larger networks such as corporations and universities, and appeared to be poorly secured, if secured at all,” the expert noted.

According to Seaman, an attacker can leverage these queries to obtain sensitive information such as network, administration, and device details. In addition to information leakage, a malicious actor can also leverage misconfigured systems to amplify DDoS attack because the size of the response can be much larger than the size of the query.

“An attacker can expect at least a 1:1 reflection, in some of my testing, some services amplified by as much as 975%. The true amplification rate is hard to predict since the replies vary a lot based on server configuration and the size of the query packet itself, which changes based on the service being queried, but a safe estimate would be around 130%+ amplification on average,” the researcher said.

Seaman and the CERT Coordination Center at Carnegie Mellon University have advised organizations to block UDP traffic on port 5353. In some cases, mDNS services can be disabled from the software or the device.

The issue has been found to affect the Avahi implementation (versions prior to 0.6.31), which is shipped with most Linux distributions, Canon MG6200 series printers, and previous generations of HP printing products.

IBM has released patches to resolve the vulnerability in IBM Security Access Manager for Web. According to an advisory, a remote attacker can extract information from the mDNS service by sending specially crafted UDP packets.

Products from several other companies might also be affected. However, Seaman says some vendors have already stated that they will not fix the issue in older devices.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.