Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

mDNS Can Be Used to Amplify DDoS Attacks: Researcher

Some multicast Domain Name System (mDNS) implementations respond to unicast queries coming from outside the local link. A researcher has determined that this behavior can be exploited for information disclosure and amplifying distributed denial-of-service (DDoS) attacks.

Some multicast Domain Name System (mDNS) implementations respond to unicast queries coming from outside the local link. A researcher has determined that this behavior can be exploited for information disclosure and amplifying distributed denial-of-service (DDoS) attacks.

mDNS is a zero-configuration service designed to resolve host names to IP addresses. It is used on local networks for device and service discovery, and it can be found in devices such as printers, phones, and network-attached storage (NAS) systems. mDNS daemons are available for Windows, OS X and Linux operating systems.

“Multicast DNS and DNS service discovery daemons deployed on various systems across the Internet are misconfigured and reply to queries targeting their unicast addresses, including requests from their WAN interface,” security researcher Chad Seaman explained in a write-up published on GitHub.

There may be some use cases where this is needed, but RFC 6762 recommends that unicast queries originating from outside the local link should be ignored if their source can’t be verified.

Seaman has scanned the Internet and discovered more than 100,000 devices responding to mDNS queries targeting their unicast address, including printers, NAS devices, and machines running Windows and Linux.

“Some of these machines were located on larger networks such as corporations and universities, and appeared to be poorly secured, if secured at all,” the expert noted.

According to Seaman, an attacker can leverage these queries to obtain sensitive information such as network, administration, and device details. In addition to information leakage, a malicious actor can also leverage misconfigured systems to amplify DDoS attack because the size of the response can be much larger than the size of the query.

“An attacker can expect at least a 1:1 reflection, in some of my testing, some services amplified by as much as 975%. The true amplification rate is hard to predict since the replies vary a lot based on server configuration and the size of the query packet itself, which changes based on the service being queried, but a safe estimate would be around 130%+ amplification on average,” the researcher said.

Advertisement. Scroll to continue reading.

Seaman and the CERT Coordination Center at Carnegie Mellon University have advised organizations to block UDP traffic on port 5353. In some cases, mDNS services can be disabled from the software or the device.

The issue has been found to affect the Avahi implementation (versions prior to 0.6.31), which is shipped with most Linux distributions, Canon MG6200 series printers, and previous generations of HP printing products.

IBM has released patches to resolve the vulnerability in IBM Security Access Manager for Web. According to an advisory, a remote attacker can extract information from the mDNS service by sending specially crafted UDP packets.

Products from several other companies might also be affected. However, Seaman says some vendors have already stated that they will not fix the issue in older devices.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.