Openly Accessible mDNS Servers

Description

The Multicast Domain Name System (mDNS) protocol, is a a zero-configuration and multi-platform service designed to resolve host names to IP addresses within small networks that do not have a local DNS server. mDNS listens on port 5353/UDP.

Problem

An Openly Accessible Multicast DNS server that is misconfigured and responds to unicast queries from sources outside of the local area network, may be abused for an Amplified Distributed Denial -of-Service (DDoS) Reflection attack against third parties. Information returned in a mDNS response to a unicast query may also disclose potentially sensitive information of the devices on the network.

Background of Multicast DNS

The Domain Name System (DNS) protocol was designed to perform service discovery and to resolve alphabetic names to IP addresses on the Internet while the mDNS protocol was designed to perform a similar function in local area networks. There are a number of interesting differences between both protocols. DNS listens on port 53/UDP while mDNS listens on port 5353/UDP. DNS primarily uses point-to-point (unicast) communication with each DNS query sent to a specific IP address while mDNS uses point-to-multipoint (multicast) communication with the mDNS query sent to each devices on the local area network with the reserved mDNS multicast IPv4 address of 224.0.0.251. mDNS can generate a large amount of traffic on a local area network. The domain label ".local." is reserved for host names in local area networks where name resolution can be resolved through mDNS. Top-level domains in the Internet domain naming system with the domain extension of .ie, .com or .org can not be resolved by mDNS.

Multicast DNS evolved from the Internet Engineering Task Force (IETF) work on zero configuration networking (Zeroconf). Multicast DNS is designed for small networks where all devices exchange information with one another via their IP addresses. Multicast is a unique form of communication which make it possible to establish point-to-multipoint connections in IPv4 networks enabling a node to reach all interested nodes simultaneously. The node which owns the host name that is being searched for, responds to the entire network also via multicast. All participating nodes are informed of the connection between the host name and the IPv4 address, and update their respective mDNS cache. mDNS multicast queries are not allowed by default to pass through a router however mDNS unicast queries can.

mDNS uses User Data Protocol (UDP) as it's underlying transportation protocol which allows for unicast communication.

mDNS daemons are available for Microsoft Windows, Apple Inc. OS X and the Linux operating system.

Zero Configuration

Zero Configuration Networking (Zeroconf) and automatic link-local addressing is an Internet Engineering Task Force (IETF) specification that enables devices on an IPv4 network to automatically configure themselves and be discovered without manual intervention. Zeroconf, through a suite of technologies, can assign an IPv4 address and alternate host name to a device, if required. Once assigned, Zeroconf allows users and applications to readily discover the service it offers. If there is no Dynamic Host Configuration Protocol (DHCP) server on the network and if a device does not have an IPv4 address, Zeroconf employs link-local addressing to create one. In RFC3927, the IETF has reserved the IPv4 address block 169.254.0.0/16 for link-local addressing. A host may automatically configure an interface with an IPv4 link-local address from address block 169.254.0.0/16 that is valid for communication with other devices connected on the same physical link. After an address is chosen, Address Resolution Protocol (ARP) is used to ascertain that the IPv4 address in not in use on the network. If it is found not in use, the IPv4 address is assigned to the device, otherwise another IPv4 address is selected, and the ARP process is repeated.

Multicast DNS host names

The IETF in RFC6762, have specify that the DNS top-level domain ".local." is a special domain with special semantics, namely that any fully qualified name ending in ".local." is link-local, and names within this domain are meaningful only on the link where they originate. Any DNS query for a name ending with the label ".local." must be sent to the IPv4 link-local multicast address 224.0.0.251.

Example of an Amplified mDNS Distributed Denial of Service (DDoS) Reflection Attack

Since the first documented DoS attack was launched on the 7th Feb 2000 by a 15 year old hacker, the DoS attack has evolved and become more sophisticated. DoS attacks can be divided into direct and reflection attacks. Direct attacks involve traffic sent directly to the victim from some infrastructure controlled by a malicious actor. In reflection attacks, third party servers are involuntarily used to reflect attack traffic towards the victim. An Amplified mDNS Distributed Denial of Service (DDoS) Reflection Attack consist of a number of separate components and utilise certain features.

Denial of Service (DoS) Attack.

A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious actor, that has subjected the system to a flood of unsolicited traffic, which consumes the available bandwidth, creating network congestion and exhausting or depleting network resources.

User Datagram Protocol (UDP)

Multicast DNS uses the User Datagram Protocol (UDP) as its underlying transportation protocol, UDP is a connectionless protocol that uses datagrams embedded in Internet Protocol (IP) packets for communication without the need to create a session between the source and destination before transmission can take place. UDP does not validate the source Internet Protocol (IP) address.

Internet Protocol (IP) Spoofing.

The Internet Protocol (IP) provides a unified and simple abstraction for communication over the Internet. It identifies hosts by their IP addresses, allowing for data exchanges across networks. The simplicity of the Internet Protocol has proven immensely powerful however it has a number of inherent limitations, such as the lack of packet-level authenticity. Routers perform only a lookup for the destination address of incoming packets, the authenticity of the source IP address of packets is not validated on the path between sender and receiver. IP Spoofing is the creation of a Internet Protocol (IP) packet and modifying it, replacing its genuine source address with a forged source address. By masquerading as a different host, a malicious actor can hide his or her true identity and location. The ability to forge the source IP address of a packet enables a number of cyber security threats, ranging from the impersonation of remote hosts to DoS attacks.

Reconnaissance.

A malicious actor will scan and probe the Internet searching for an Internet connected Multicast DNS server, which has been misconfigured and that responds to a unicast query from a source outside of its local area network. Once a vulnerable mDNS server has been identified, The malicious actor will seek to exploit it, and use it as a reflector in an Amplified DDoS Reflection attack against an unsuspecting victim.

Reflection.

In a reflection attack, Internet connected third party servers that provide a service and are openly accessible, are involuntarily used to reflect attack traffic towards the victim, through the use of IP Spoofing. Reflection also serve to obscure the source of the attack traffic and to hide the identity of the malicious actor.

Amplification.

Many protocols that allow for reflection also add amplification, resulting in the amount of attack traffic sent to the victim to be many times greater than that sent to the reflector initially. There are multiple protocols with vulnerabilities that allow them to be used as accessories for amplification, e.g. DNS, SNMPv2, and mDNS. Multicast DNS devices advertise information about network services they provide. Defined in RFC6763, the service enumeration query which will return all advertised service type on a network. The largest mDNS response payload recorded in a DoS attack contained 428 bytes of data, that responded to a query of 45 bytes in size, an amplification factor of 9.51.

Distributed.

The essential difference between a Denial-of-Service (DoS) Attack and a Distributed Denial-of-Service (DDoS) Attack in that instead one computer system being used to attacked a victim, multiple computer systems will be used to attack the victim.

Botnet.

Malicious actors are increasingly using intermediaries to launch DoS attacks against victims. DoS attacks are now launched via Botnets. A botnet is a collection of internet connected computers and devices, geographically dispersed, which have, through security vulnerabilities or device weakness, been compromised and hijacked by an malicious actor, known as a Botnet Controller, who exercises control over them through the use of command and control software. The Botnet Controller can, through a command -and-control (C&C) server, instruct individual computers and devices, known as 'bots' or 'zombies', to send attack traffic to a victim. A Botnet Controller will offered his botnet as an on demand DDoS attack service, known as a "Booters" or as a "booter service". A malicious actor can hire the services of a "Booters" or of a "Booter service" for a specified time, for a specified fee to launch a DDoS attack against a target of choice.

Verification

To establish if a host has an openly accessible service on the Internet, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be used. The test should not be run on the host itself or from the local network but instead from a different node on the Internet.

Domain Information Groper (dig)

To confirm if a mDNS server is openly accessible from the internet, the tool Domain Information Groper (dig) can be used to interrogate the mDNS server. You can send a mDNS request for an arbitrary domain name to the IP address of the mDNS server:-

In the following example, substitute xxx.xxx.xxx.xxx. with the IP address of the mDNS server.

$ dig +short -p 5353 -t ptr _services._dns-sd._udp.local @ xxx.xxx.xxx.xxx

An openly accessible mDNS service will return a response similar to the example below:

DiG 9.10.31-P4-Ubuntu <<>> TARGET @ xxx.xxx.xxx.xxx
_workstation._tcp.local.
_udisks-ssh._tcp.local.:

Otherwise, the request will timeout:

;; connection timed out; no servers could be reached.

Solution

If mDNS services are not required, disable mDNS services in devices that allow it or block inbound and outbound mDNS traffic on port 5353/UDP.

If mDNS services are required, restrict access of mDNS services to authorised or specific IP addresses.

Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged source (spoofed) IP address access to the network, and to help ensure that traffic is traceable to its correct network.

Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations by preventing traffic with a forged source (spoofed) IP address from leaving the network.

Ingress & Egress Filtering

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link.
Ingress & Engress Filtering

Additional Information

Multicast DNS: alternative name resolution on a small scale.
IETF RFC 6762 - Multicast DNS
IETF RFC 3927 - Dynamic Configuration of IPv4 Link-Local Addresses
IETF RFC 6763 - DNS-Based Service Discovery
Software Engineering Institute - mDNS implementations may respond to unicast queries originating outside the local link.
Pan Test Primer: Multicast DNS & Service Discovery