Multicast DNS Vulnerability Could Lead to DDOS Amplification Attacks

DHS warned of a serious vulnerability in Multicast DNS devices whereby leaked system information could be leveraged in a DDoS amplification attack.

The Department of Homeland Security sponsored CERT at Carnegie Mellon University on Tuesday released an advisory warning infrastructure providers of a vulnerability in Multicast DNS, or mDNS, that could leak device information that could be leveraged in high volume DDoS amplification attacks.

“I would say the most serious concern with a vulnerability like this is abuse for DDoS campaigns, since it’s using UDP (easily spoofable) and the amplification in most cases is well over 100 percent,” said security researcher Chad Seaman, who reported the vulnerability. “We’ve seen a huge surge in the abuse of SSDP devices being used in reflection attacks, this is along the same lines and offers greater amplification, but luckily there aren’t nearly as many vulnerable mDNS devices in the wild.”

The advisory lists a number of vendors whose devices are affected, including Canon, HP and IBM among others. Cisco, D-Link and Microsoft devices are in the clear, while whether Apple, a number of Linux distributions, and Dell devices are affected. Mostly, mDNS is used in consumer devices to simplify configuration and integration of services and networking, Seaman said.

The issue is that mDNS devices could respond to unicast queries from outside a local link network and those responses could include network and device data that would facilitate a large-scale DDoS attack. According to the advisory, mDNS enables devices on a local link network to discover other services and devices. The fact that some devices would respond to unicast queries from outside goes against the implementation recommendations in RFC 6762.

“It’s very easy to abuse. It’s little more than running a standard DNS query for a specific string/service name on port 5353. If you get a reply to the most generic query, the machine is accepting input over the WAN interface that it shouldn’t be,” Seaman said.

The leaked information depends on the particular device and how the service it supports is configured. The useful information includes device names, model numbers, serial numbers, network configuration information, and more.

“These could be used for social engineering attacks, targeting purposes, reconnaissance purposes, etc.,” Seaman said.

The CERT advisory recommends either blocking inbound and outbound mDNS on the WAN, or disabling mDNS services. As with other noteworthy amplification attacks, large amounts of bad traffic is pointed at a specific online service, in most cases, over-running it in short order.

“As a reflector it would just be a high number of incoming DNS queries targeted at port 5353, likely from a spoofed source to achieve reflection.  As a victim you would see a wide array of replies coming back from various devices,” said Seaman, who has posted sample traffic signatures that would be similar to those used in such an attack. “However because of mDNS explicitly stating it should only operate on port 5353 in the RFC, all requests will be sourced from port 5353 during the reflection.  Meaning mitigation should be as simple as blocking port 5353 to protect vulnerable internal devices and drop incoming traffic sourced from port 5353 to help mitigate an attack.”

Suggested articles