Makes mDNS ddos amplification attack possible
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| avahi (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Apparently mDNS can be used for ddos amplification, see for instance https:/
Steps to reproduce:
dig @rusk.hpc2n.umu.se -p 5353 -t ptr _services.
The response is supposedly 2-10 times the size of the query, making for a moderate but noticeable amplification.
Workarounds are easy, but not responding outside localnet by default is probably reasonable for mDNS.
Reproduced at at least trusty and precise, would be very surprised if it didn't also apply to xenial but I left my xenial laptop at home today. :)
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: avahi-daemon 0.6.30-5ubuntu2.1
ProcVersionSign
Uname: Linux 3.13.0-83-generic x86_64
NonfreeKernelMo
ApportVersion: 2.0.1-0ubuntu17.13
Architecture: amd64
Date: Fri Apr 15 12:12:22 2016
MarkForUpload: True
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: avahi
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
| Mattias Wadenstein (maswan) wrote | #1 |
| information type: | Private Security → Public Security |
| Trent Lloyd (lathiat) wrote | #2 |
| My Karlsson (mykarlsson-deactivatedaccount) wrote | #3 |
| My Karlsson (mykarlsson-deactivatedaccount) wrote | #4 |
| Marc Deslauriers (mdeslaur) wrote | #5 |
| Changed in avahi (Ubuntu): | |
| status: | New → Fix Released |
Thanks for the report.
I was interestingly unable to reproduce this when testing, so I will dig in further and try to determine why.