Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Over 100,000 devices can be used to amplify DDoS attacks via multicast DNS

Lucian Constantin | April 2, 2015
Over 100,000 devices have a misconfigured service called multicast DNS that accepts requests from the Internet and can potentially be abused to amplify distributed denial-of-service (DDoS) attacks.

Over 100,000 devices have a misconfigured service called multicast DNS that accepts requests from the Internet and can potentially be abused to amplify distributed denial-of-service (DDoS) attacks.

The multicast Domain Name System (mDNS) is a protocol that allows devices on a local network to discover each other and their services. It is used both by PCs and embedded devices like network attached storage (NAS) systems, printers and others.

The mDNS protocol allows queries to be sent to a specific machine using its unicast address. However, the official specification recommends that when receiving such queries, the mDNS service should check before responding that the address that made the request is located in the same local subnet. If it's not, the request should be ignored.

A security researcher named Chad Seaman discovered that some mDNS implementations don't follow this recommendation and will respond to mDNS queries received from the Internet. The problem with this behavior is twofold.

First, depending on the type of query, mDNS responses can leak sensitive details about the device and its services, including its model, serial number, host name, physical MAC address, network configuration and more. This information could potentially help hackers better plan their attacks.

The second implication is even more serious. Because mDNS responses can be considerably larger than the queries triggering them and because the source IP address can be spoofed, devices that accept mDNS queries from the Internet can be abused to reflect and amplify DDoS attacks.

DDoS reflection helps attackers hide the source of their malicious traffic. Instead of flooding a target with packets directly, attackers can send mDNS queries with a spoofed source address to vulnerable devices causing them to send unsolicited responses to the victim's IP address.

DDoS amplification implies reflection, but also increases the amount of rogue traffic attackers can generate. That's because the size of the mDNS responses sent by vulnerable devices to the victim will be larger than the queries made by the attackers.

In tests, some of the vulnerable mDNS services amplified the traffic by as much as 975 percent, Seaman said in a write-up on GitHub. "The true amplification rate is hard to predict since the replies vary a lot based on server configuration and the size of the query packet itself, which changes based on the service being queried, but a safe estimate would be over 130 percent amplification on average."

Amplification techniques have been used in some of the largest DDoS attacks seen in recent years. There are several protocols that can be abused for this purpose if configured improperly, including DNS (Domain Name System), SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol).

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.