mDNS Can Be Used to Amplify DDoS Attacks: Researcher

[Reefa]

Some multicast Domain Name System (mDNS) implementations respond to unicast queries coming from outside the local link. A researcher has determined that this behavior can be exploited for information disclosure and amplifying distributed denial-of-service (DDoS) attacks.

mDNS is a zero-configuration service designed to resolve host names to IP addresses. It is used on local networks for device and service discovery, and it can be found in devices such as printers, phones, and network-attached storage (NAS) systems. mDNS daemons are available for Windows, OS X and Linux operating systems.

“Multicast DNS and DNS service discovery daemons deployed on various systems across the Internet are misconfigured and reply to queries targeting their unicast addresses, including requests from their WAN interface,”

security researcher Chad Seaman explained in a write-up published on GitHub.

There may be some use cases where this is needed, but RFC 6762 recommends that unicast queries originating from outside the local link should be ignored if their source can’t be verified.

Seaman has scanned the Internet and discovered more than 100,000 devices responding to mDNS queries targeting their unicast address, including printers, NAS devices, and machines running Windows and Linux.

“Some of these machines were located on larger networks such as corporations and universities, and appeared to be poorly secured, if secured at all,” the expert noted.

According to Seaman, an attacker can leverage these queries to obtain sensitive information such as network, administration, and device details. In addition to information leakage, a malicious actor can also leverage misconfigured systems to amplify DDoS attack because the size of the response can be much larger than the size of the query.

“An attacker can expect at least a 1:1 reflection, in some of my testing, some services amplified by as much as 975%. The true amplification rate is hard to predict since the replies vary a lot based on server configuration and the size of the query packet itself, which changes based on the service being queried, but a safe estimate would be around 130%+ amplification on average,” the researcher said.

Seaman and the CERT Coordination Center at Carnegie Mellon University have advised organizations to block UDP traffic on port 5353. In some cases, mDNS services can be disabled from the software or the device.

The issue has been found to affect the Avahi implementation (versions prior to 0.6.31), which is shipped with most Linux distributions, Canon MG6200 series printers, and previous generations of HP printing products.

IBM has released patches to resolve the vulnerability in IBM Security Access Manager for Web. According to an advisory, a remote attacker can extract information from the mDNS service by sending specially crafted UDP packets.

Products from several other companies might also be affected. However, Seaman says some vendors have already stated that they will not fix the issue in older devices.

securityweek.com

[stylemessiah]

So its another "some person in a lab discovers a "vulnerability" thats has a less than negligible (read: no impact) real world impact but writes a paper on it and gets their name on the front page of a website which tries to scare people into believing its more than it actually is" kinda story

Lets file it with all the other ones like it that get posted here :)

Like the front cover of the Hitch-hikers Guide says "Dont Panic"

Honestly "Security Researchers" are to IT what bloggers are to journalism, only i respect bloggers more :)