Menu
Over 100,000 devices can be used to amplify DDoS attacks via multicast DNS

Over 100,000 devices can be used to amplify DDoS attacks via multicast DNS

Some implementations of the multicast DNS protocol are configured to accept queries from the Internet, which is a risky behavior

Over 100,000 devices have a misconfigured service called multicast DNS that accepts requests from the Internet and can potentially be abused to amplify distributed denial-of-service (DDoS) attacks.

The multicast Domain Name System (mDNS) is a protocol that allows devices on a local network to discover each other and their services. It is used both by PCs and embedded devices like network attached storage (NAS) systems, printers and others.

The mDNS protocol allows queries to be sent to a specific machine using its unicast address. However, the official specification recommends that when receiving such queries, the mDNS service should check before responding that the address that made the request is located in the same local subnet. If it's not, the request should be ignored.

A security researcher named Chad Seaman discovered that some mDNS implementations don't follow this recommendation and will respond to mDNS queries received from the Internet. The problem with this behavior is twofold.

First, depending on the type of query, mDNS responses can leak sensitive details about the device and its services, including its model, serial number, host name, physical MAC address, network configuration and more. This information could potentially help hackers better plan their attacks.

The second implication is even more serious. Because mDNS responses can be considerably larger than the queries triggering them and because the source IP address can be spoofed, devices that accept mDNS queries from the Internet can be abused to reflect and amplify DDoS attacks.

DDoS reflection helps attackers hide the source of their malicious traffic. Instead of flooding a target with packets directly, attackers can send mDNS queries with a spoofed source address to vulnerable devices causing them to send unsolicited responses to the victim's IP address.

DDoS amplification implies reflection, but also increases the amount of rogue traffic attackers can generate. That's because the size of the mDNS responses sent by vulnerable devices to the victim will be larger than the queries made by the attackers.

In tests, some of the vulnerable mDNS services amplified the traffic by as much as 975 percent, Seaman said in a write-up on GitHub. "The true amplification rate is hard to predict since the replies vary a lot based on server configuration and the size of the query packet itself, which changes based on the service being queried, but a safe estimate would be over 130 percent amplification on average."

Amplification techniques have been used in some of the largest DDoS attacks seen in recent years. There are several protocols that can be abused for this purpose if configured improperly, including DNS (Domain Name System), SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol).

Seaman found over 100,000 devices that respond to mDNS queries over the Internet and can potentially be used by attackers for DDoS amplification.

"These devices include several NAS boxes and printers as well as Windows and Linux machines," he said. "Some of these machines were located on larger networks such as corporations and universities, and appeared to be poorly secured, if secured at all."

The researcher notified the CERT Coordination Center (CERT/CC), which issued an advisory about the issue Tuesday.

"If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network," the organization said.

Some devices from Canon, Hewlett-Packard, IBM and Synology were found to respond to Internet-based mDNS queries in their default configurations. However, it's not clear which software running on them actually responds to the queries, CERT/CC said.

Avahi, a Linux software package for zero-configuration networking, was also found to be vulnerable.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetyIBMsecurityCanonCERT Coordination CenterExploits / vulnerabilitiesHewlett-Packardsynology

Featured

Slideshows

Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Top 15 Kiwi tech storylines to follow in 2017

Top 15 Kiwi tech storylines to follow in 2017

​The New Year brings the usual new round of humdrum technology predictions, glaringly general, unashamedly safe and perpetually predictable. But while the industry no longer sees value in “cloud is now the norm” type projections, value can be found in following developments of the year previous, analysing behaviours and patterns to formulate a plan for the 12 months ahead. Consequently, here’s the top Kiwi tech storylines to follow in 2017...

Top 15 Kiwi tech storylines to follow in 2017
Show Comments