Cyberattacks are constantly evolving, and among the harmful varieties, mDNS Reflection DDoS Attacks have emerged as a growing and complex threat. In this post, we’ll explore what these attacks are, how they work and what protection measures can be adopted to mitigate their damaging effects.
What is the mDNS service (5353/udp)?
mDNS is a Multicast DNS protocol. A “multicast” passes the same message to several points in a network. mDNS is a method for discovering network neighbors, suitable for small networks without their own DNS servers. By default it uses port 5353/UDP. It’s a network protocol used to resolve names on local networks that don’t have their own DNS server. As it is a service used only within local networks, it is not necessary for the mDNS service to be exposed to the Internet.
If it is accessible to the entire Internet via UDP, this service can be exploited for DDoS attacks that use amplification. This is because the attacker sends a request forging the victim’s IP and the mDNS server returns a much larger response than the request.
What are mDNS Reflection DDoS Attacks?
Multicast DNS DDoS attacks exploit the vulnerability in devices configured with mDNS enabled. In this type of attack, attackers send spoofed requests to the mDNS, causing multiple devices on the network to respond to the designated victim. This results in an overload of the network, leading to the unavailability of services for the victim, characterizing a DDoS attack.
How do these attacks work?
Attackers often use IP spoofing techniques to send manipulated mDNS requests to a local network. These requests are sent in such a way that they appear to originate from the victim, directing the responses towards them. Thus, the devices on the network respond en masse to the victim, overloading their bandwidth and processing capacity.
Mitigating Reflection DDoS Attacks by mDNS
- Disable mDNS if possible: For devices that don’t need mDNS, disabling it is an effective solution to prevent this type of attack.
- Secure Network Configurations: Make sure that your network is configured so as not to allow unauthorized mDNS traffic, thus avoiding the amplification of this attack.
- Traffic filtering: Implement measures to filter or limit suspicious traffic by identifying and blocking malicious mDNS packets.
- Updates and Patches: Keep your devices and systems up to date with the latest security patches, as they often address known vulnerabilities.
Why should I worry about this?
The mDNS service can be used to cause damage to third parties, involving your network in attacks on other organizations, as well as implying higher bandwidth consumption.
Additional information on how to prevent your network from being abused for this and other DDoS attacks can be found here:
Where can I get more information about the abuse of the mDNS protocol for DDoS attacks?
- UDP-Based Amplification Attacks https://www.us-cert.gov/ncas/alerts/TA14-017A
How does CERT.br know that this is a vulnerable device?
CERT.br is receiving notifications with lists of devices using mDNS that are possibly being abused and used in distributed denial-of-service (DDoS) attacks. CERT.br is notifying those responsible for the Brazilian devices on these lists.
How can I be sure I’ve solved the problem?
You can check your device using the following command: (preferably run it from the Internet, i.e. outside an internal network that has permission to access the device).
$ dig @ENDERECO_IP -p 5353 ptr _services._dns-sd._udp.local
Where ADDRESS_IP is the IP of the device using mDNS to be tested. Before running the above command, make sure you have the dig tool installed on your computer.
In a scenario where cyber security is more vital than ever, being informed about these attacks and taking proactive measures to protect our infrastructure is essential. By understanding emerging threats, such as mDNS Reflection DDoS Attacks, we are better positioned to strengthen our defenses and ensure the security of our systems and data.
Master da Web, your Cloud solution! ☁️