Over 100,000 devices can be used to amplify DDoS attacks via multicast DNS

Some implementations of the multicast DNS protocol are configured to accept queries from the Internet, which is a risky behavior

Over 100,000 devices have a misconfigured service called multicast DNS that accepts requests from the Internet and can potentially be abused to amplify distributed denial-of-service (DDoS) attacks.

The multicast Domain Name System (mDNS) is a protocol that allows devices on a local network to discover each other and their services. It is used both by PCs and embedded devices like network attached storage (NAS) systems, printers and others.

The mDNS protocol allows queries to be sent to a specific machine using its unicast address. However, the official specification recommends that when receiving such queries, the mDNS service should check before responding that the address that made the request is located in the same local subnet. If it's not, the request should be ignored.

A security researcher named Chad Seaman discovered that some mDNS implementations don't follow this recommendation and will respond to mDNS queries received from the Internet. The problem with this behavior is twofold.

First, depending on the type of query, mDNS responses can leak sensitive details about the device and its services, including its model, serial number, host name, physical MAC address, network configuration and more. This information could potentially help hackers better plan their attacks.

The second implication is even more serious. Because mDNS responses can be considerably larger than the queries triggering them and because the source IP address can be spoofed, devices that accept mDNS queries from the Internet can be abused to reflect and amplify DDoS attacks.

DDoS reflection helps attackers hide the source of their malicious traffic. Instead of flooding a target with packets directly, attackers can send mDNS queries with a spoofed source address to vulnerable devices causing them to send unsolicited responses to the victim's IP address.

DDoS amplification implies reflection, but also increases the amount of rogue traffic attackers can generate. That's because the size of the mDNS responses sent by vulnerable devices to the victim will be larger than the queries made by the attackers.

In tests, some of the vulnerable mDNS services amplified the traffic by as much as 975 percent, Seaman said in a write-up on GitHub. "The true amplification rate is hard to predict since the replies vary a lot based on server configuration and the size of the query packet itself, which changes based on the service being queried, but a safe estimate would be over 130 percent amplification on average."

Amplification techniques have been used in some of the largest DDoS attacks seen in recent years. There are several protocols that can be abused for this purpose if configured improperly, including DNS (Domain Name System), SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol).

Seaman found over 100,000 devices that respond to mDNS queries over the Internet and can potentially be used by attackers for DDoS amplification.

"These devices include several NAS boxes and printers as well as Windows and Linux machines," he said. "Some of these machines were located on larger networks such as corporations and universities, and appeared to be poorly secured, if secured at all."

The researcher notified the CERT Coordination Center (CERT/CC), which issued an advisory about the issue Tuesday.

"If such mDNS behavior is not a requirement for your organization, consider blocking the mDNS UDP port 5353 from entering or leaving your local link network," the organization said.

Some devices from Canon, Hewlett-Packard, IBM and Synology were found to respond to Internet-based mDNS queries in their default configurations. However, it's not clear which software running on them actually responds to the queries, CERT/CC said.

Avahi, a Linux software package for zero-configuration networking, was also found to be vulnerable.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyIBMsecurityCanonCERT Coordination CenterExploits / vulnerabilitiesHewlett-Packardsynology

More about CanonLinuxNASSNMPSynology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place