[Bug 1570788] [NEW] Makes mDNS ddos amplification attack possible

Mattias Wadenstein maswan at acc.umu.se
Fri Apr 15 10:20:55 UTC 2016 

*** This bug is a security vulnerability ***

Public security bug reported:

Apparently mDNS can be used for ddos amplification, see for instance https://mdns.shadowserver.org/ and https://www.us-cert.gov/ncas/alerts/TA14-017A
 
Steps to reproduce:

dig @rusk.hpc2n.umu.se -p 5353 -t ptr _services._dns-sd._udp.local

The response is supposedly 2-10 times the size of the query, making for
a moderate but noticeable amplification.

Workarounds are easy, but not responding outside localnet by default is
probably reasonable for mDNS.

Reproduced at at least trusty and precise, would be very surprised if it
didn't also apply to xenial but I left my xenial laptop at home today.
:)

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: avahi-daemon 0.6.30-5ubuntu2.1
ProcVersionSignature: Ubuntu 3.13.0-83.127~precise1-generic 3.13.11-ckt35
Uname: Linux 3.13.0-83-generic x86_64
NonfreeKernelModules: openafs
ApportVersion: 2.0.1-0ubuntu17.13
Architecture: amd64
Date: Fri Apr 15 12:12:22 2016
MarkForUpload: True
ProcEnviron:
 LANGUAGE=en_US:en
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: avahi
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: avahi (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug precise trusty

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to avahi in Ubuntu.
https://bugs.launchpad.net/bugs/1570788

Title:
  Makes mDNS ddos amplification attack possible

Status in avahi package in Ubuntu:
  New

Bug description:
  Apparently mDNS can be used for ddos amplification, see for instance https://mdns.shadowserver.org/ and https://www.us-cert.gov/ncas/alerts/TA14-017A
   
  Steps to reproduce:

  dig @rusk.hpc2n.umu.se -p 5353 -t ptr _services._dns-sd._udp.local

  The response is supposedly 2-10 times the size of the query, making
  for a moderate but noticeable amplification.

  Workarounds are easy, but not responding outside localnet by default
  is probably reasonable for mDNS.

  Reproduced at at least trusty and precise, would be very surprised if
  it didn't also apply to xenial but I left my xenial laptop at home
  today. :)

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: avahi-daemon 0.6.30-5ubuntu2.1
  ProcVersionSignature: Ubuntu 3.13.0-83.127~precise1-generic 3.13.11-ckt35
  Uname: Linux 3.13.0-83-generic x86_64
  NonfreeKernelModules: openafs
  ApportVersion: 2.0.1-0ubuntu17.13
  Architecture: amd64
  Date: Fri Apr 15 12:12:22 2016
  MarkForUpload: True
  ProcEnviron:
   LANGUAGE=en_US:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: avahi
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/avahi/+bug/1570788/+subscriptions

More information about the foundations-bugs mailing list