Multicast DNS (mDNS) vulnerability

Follow

Overview

The Multicast DNS (mDNS) protocol is variant on the standard DNS protocol that is open to abuse by external systems.[1]  It can be used as a traffic amplifier in a distributed denial-of-service attack against NeCTAR or third party DNS servers.[2][3]  (The attackers send a request to a mDNS service which relays them to / at the attack target.)  Such an attack may also consume significant network bandwidth, and is likely to result in network blacklisting.

The mDNS service can also be used to gather information about your systems that could be used to help hackers gain access to them.

Checking to see if you are vulnerable

To manually test if a system is vulnerable to this, you can use the command:

      dig +short @[IP] -p [PORT] -t any _services._dns-sd._udp.loca

The default port for mDNS is 5353.

Recommended mitigations

  • If mDNS has been installed as a free-standing service, disable it.
  • If mDNS is part of some larger application, check the documentation and / or talk to the supplier to find out how to disable it.
  • If use of mDNS is essential, then use OpenStack security groups to restrict inbound UDP access to the instance's mDNS port so that only those (trusted) IP addresses that strictly need to access it.

References

[1] https://en.wikipedia.org/wiki/Multicast_DNS
[2] http://www.kb.cert.org/vuls/id/550620
[3] https://www.us-cert.gov/ncas/alerts/TA14-017A

Have more questions? Submit a request

Comments

Powered by Zendesk