Abuse of WS-Discovery Protocol Can Lead to Large-Scale DDoS Attacks

abuse-of-ws-discovery-protocol-can-lead-to-large-scale-ddos-attacksSecurity researchers have discovered that attackers can abuse the Web Services Dynamic Discovery (WS-Discovery) protocol to launch massive distributed denial of service (DDoS) campaigns. Security researchers have issued a warning after seeing cybercriminals abuse the WS-Discovery protocol in different DDoS campaigns over the past few months.

The first DDoS campaign using the WS-Discovery protocol was discovered in May by security researcher Tucker Preston, who observed 130 DDoS attacks that reached sizes of over 350 Gbps. The attack subsided over the following months, but reemerged in campaigns on a smaller scale, as reported by ZeroBS. The second wave of attacks reached a maximum of 40 Gbps, involving botnets that used 5,000 devices, most of which were IP cameras and printers.

Technology website ZDNet knew of the protocol's abuse since the initial May discovery, but withheld disclosure lest more cybercriminal groups make use of the protocol for their own DDoS attacks. However, recent months have shown that more cybercriminal groups may have already discovered it on their own. Security researchers are now issuing warnings so potentially affected parties can take precautionary measures.

Despite being a relatively uncommon protocol, ONVIF (a global and open industry forum that facilitates the development and promotion of standardized interfaces for IP-based security products) has been recommending the WS-Discovery protocol for device discovery and plug-and-play interoperability since 2010.

Members of ONVIF include major tech brands that likely followed this recommendation. This could explain how the WS-Discovery protocol has found its way to thousands of devices. According to the web search engine BinaryEdge, approximately 630,000 ONVIF-based devices use the WS-Discovery protocol.

The widespread use of the protocol, combined with several other technical characteristics, makes it an ideal DDoS campaign tool.

WS-Discovery is a multicast discovery protocol used for locating services or nearby devices on a local network. To support inter-device discovery, it uses SOAP (Simple Object Access Protocol) messages over the UDP (User Datagram Protocol) transport protocol.

As a UDP-based protocol, WS-Discovery can allow attackers to conduct typical UDP flood attacks and spoof the packet destination. An attacker can, for example, send a UDP packet with a fake return IP address to a device’s WS-Discovery, so that the device sends a reply to the fake IP address. This allows attackers to redirect traffic to the target of their DDoS campaign.

In addition, WS-Discovery responses can be several times larger than the input it receives. An attacker can use this characteristic to send an initial packet to a device’s WS-Discovery, whose response will be redirected to the DDoS attack target. The target will then receive a packet several times larger than the original packet size.

Threats using common protocols

This isn’t the first time standard protocols exposed devices or systems to attacks. Threats involving protocols have become critical points of defense, since they are closely embedded in devices, systems, and applications. At the same time, protocols can lead to vulnerabilities and attacks from unassuming yet critical devices, which is what happened when radio frequency remote controllers were used to move full-sized machines in construction sites and factories earlier this year.

Communication protocols have also become especially crucial systems that use the internet of things (IoT) and the industrial internet of things (IIoT), where weaknesses and misconfigurations regarding these protocols can lead to more than just exposed records.

[Read: MQTT and CoAP: Security and Privacy Issues in IoT and IIoT Communication Protocols]

Fortunately, the most recent cases of DDoS campaigns using WS-Discovery indicate that the cybercriminals behind it are still figuring out how to utilize the protocol. Internet service providers can implement security measures to block traffic coming from the internet that specifically target the 3702 port on devices inside their network. This measure can help prevent the abuse of these devices in future DDoS campaigns.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.