Skip navigation
This discussion is archived

Bonjour Sleep Proxy service stealing IP addresses?

16932 Views 19 Replies Latest reply: Feb 28, 2010 7:00 PM by Alex Satrapa RSS
1 2 Previous Next
irwintillman Calculating status...
Currently Being Moderated
Sep 14, 2009 5:22 PM
During September 3-13 I've seen eight Apple devices on our institution's network
steal IP addresses leased to other devices.
All the victims have all been Macintosh workstations.

I suspect that the new Bonjour Sleep Proxy service is involved.

The devices that have stolen IP addresses are:
Apple Time Capsule: 5
Apple AirPort Express: 1 (device type not yet confirmed with ower)
Mac running Mac OS X 10.6: 1
Mac running Mac OS X: 1 (device type and OS version not yet confirmed with owner)

If you monitor your network closely enough
to reconcile actual IP address usage (e.g, based on IP ARP cache data) against IP address assignments
(perhaps based on DHCP server logs), you may see this too.

I've not been able to locate published documentation of the Bonjour Sleep Proxy protocol.
(I've already seen the Apple KB article
providing an overview of the "Wake on Demand" feature, the reference
to "Sleep Proxy Servers" in , and the Sleep Proxy Service patent in %2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=7,330,986.PN.&OS=PN/7,330,986&RS =PN/7,330,986 .)

I've opened a bug report with Apple for one of the incidents (in which the thief was a Mac running Mac OS X 10.6);
in that case I was fortunate to have a system.log file from the "thief".
In my bug report I've also mentioned the Apple Time Capsule incidents too.
I'm still trying to retrieve logs from some of the other thieves and victims,
to expand my bug report with more examples.

One detail that's surprising is that one (possibly two) incidents to-date indicates that
the Bonjour Sleep Proxy Server is also present on (at least) some Mac OS X systems.
Apple's published doc to-date indicates that only Apple Time Capsules and
Apple AirPort Base Stations with 802.11n running firmware 7.4.2 provide
that service.

(I also wonder how easy it would be for someone to exploit a Bonjour Sleep Proxy Server
to launch a denial of service attack on the network to which it is attached. Without documentation about the
actual Bonjour Sleep Proxy protocol, I'm only speculating, but it seems these
Bonjour Sleep Proxy Servers accept a message that causes them to "steal" an IP address
for a period of time. What would prevent someone from sending a series of these
messages to a Bonjour Sleep Proxy Server to tell it to steal many IP addresses (on the local
IP network)...or perhaps just the IP address of the network's IP router?)

Irwin Tillman
OIT Network Systems / Princeton University
Mac Pro (early 2008), Mac OS X (10.6.1)
  • LittleSaint Level 4 Level 4 (2,900 points)
    Everything you've described and documneted only shows the Sleep Proxy Service working as designed. It's a part of MulticastDNS which Apple calls Bonjour. From Wikipedia (first hit on Google):

    The Sleep Proxy Service is a component of Multicast DNS, designed to assist in the reduced power consumption of networked electronic >devices. A device acting as a Sleep Proxy Server will respond to Multicast DNS queries for another, compatible device which has gone into >low power mode. The low power mode device remains asleep while the Sleep Proxy Server responds to any Multicast DNS queries.
    When the Sleep Proxy Server sees a query which requires the low power mode device to wake up, the Sleep Proxy Server sends a special >wake-up-packet to the low power mode device. Communication parameters are then updated via Multicast DNS and normal >communications proceed.

    So by design, it is answering MulticastDNS queries for other hosts, using their IP addresses, while they are sleeping.

    Message was edited by: LittleSaint
    MacBook, Mac OS X (10.6)
  • LittleSaint Level 4 Level 4 (2,900 points)
    The protocol used is documented. It's a part of mDNS. If it didn't use the actual IPs with corresponding ARPs, how else would traffic get to the proxy? Sticking the source address in the payload doesn't work because the original sender is expecting a reply from a real host not a proxy.

    Message was edited by: LittleSaint
    MacBook, Mac OS X (10.6)
  • LittleSaint Level 4 Level 4 (2,900 points)
    Because that's not how mDNS works. The point of the proxy is so the reply appears to querier as if it comes from the real host because as mDNS is designed that how it is supposed to appear.

    The bigger and more interesting question here is why you have (if you do indeed have) workstations acting as proxies. This function is only supposed to be enabled on Airport stations.
    MacBook, Mac OS X (10.6)
  • Q Lazarus Level 1 Level 1 (80 points)
    AirPort base stations are usually purchased by home users, perhaps shockingly, for use in the home. If you're maintaining a complex network and need billions of configuration options and total control over everything every router does, your IT purchasing department should probably not be considering the for-dummies version in the first place.

    Prove the attack is possible before you go setting off alarms.
  • Q Lazarus Level 1 Level 1 (80 points)
    So you allow anyone, anywhere to walk into the building and throw an open WAP on the switch to broadcast your network to the world? Most places I've seen will fire faculty and staff for doing things like that.

    Bonjour's a largely open source project. Check out the sources and see how it works.
  • LittleSaint Level 4 Level 4 (2,900 points)
    The proxy server should not be running from workstations. That would be my only concern if you are truly seeing such behavior. You should only have one proxy per LAN segment: the access point. Is it possible those syslog messages are mDNS messages from the access point and not internal to the workstation? Are you sure it is the MAC address of the workstation that you see with multiple IP addresses in your ARP snapshots?

    If the proxy assumes IP addresses of sleeping workstations for mDNS, it doesn't really affect regular communication because those workstations wouldn't reply to anything but a wake packet anyway, and the proxy will facilitate that. Turning off Wake-On-Network mitigates this entirely as that also disables any registration with the proxy service. Proper use of DHCP snooping and ARP inspection on your routers mitigates things from an enterprise perspective.

    There isn't a network tool or feature out there that can't also be used for nefarious purposes. You just weigh the pros and cons of each service and design your network and security policies appropriately.

    Message was edited by: LittleSaint
    MacBook, Mac OS X (10.6)
  • LittleSaint Level 4 Level 4 (2,900 points)
    Depending on your network equipment, you may have switch features that track DHCP leases and the MAC/IP relationships on the LAN. An ARP message that does not match the tracked entry is dropped. Cisco calls this DHCP Snooping and Dynamic ARP inspection. The Sleep Proxy Service is essentially a type of ARP spoofing, and any measures to mitigate that would most likely also prevent the service from working. It does seem odd that this could run on any workstation as you could really only have one per LAN, but as Q Lazurus pointed out, there's really nothing wrong or "bad" happening here given the design of mDNS, it just looks like it in your logs. So, perhaps there's nothing to mitigate at all because it just works.
    MacBook, Mac OS X (10.6)
1 2 Previous Next


More Like This

  • Retrieving data ...

Bookmarked By (0)

This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.