Some thoughts about WS-Discovery DDoS attacks

Security researchers from Akamai published interesting details about the Web Services Dynamic Discovery (WS-Discovery) protocol, which they say can be abused to launch massive DDoS attacks.

What is WS-Discovery?

WS-Discovery is a multicast protocol that can be used on local networks to “discover” other nearby devices: is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets — hence why it’s sometimes referred to as SOAP-over-UDP.

WS-Discovery is a protocol adopted by ONVIF (an industry group that promotes standardized interfaces for interoperability of networked products): ONVIF members include Axis, Sony, Bosch, and others, and since the mid-2010s, the WS-Discovery is the recommended protocol for device discovery as part of plug-and-play interoperability.

Currently, according to a search on BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol accessible from internet.


Why a WS-Discovery-based DDos is so dangerous?

WS-Discover is an UDP-based protocol, so the packet destination can be spoofed: an attacker can send a UDP packet to a device’s WS-Discovery service with a forged return IP address, and when the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of the DDoS attacks.

Furthermore, the WS-Discovery response is many times larger than the initial input, and this allows attackers to send an initial packet to a WS-Discover device, which bounces the response to the attack victim with a great amplification factor, allowing attackers to launch massive DDoS attacks with limited resources.

According to this analysis by ZeroBS GmbH, common amplification factor was a normal one of up to 10: in the case of WS-Discovery, the protocol has been observed in real-world DDoS attacks with amplification factors of up to 300, and even 500.


How to stop a WS-Discovery attack?

According with this post on Akamai’s Blog, “placing blocks on the UDP source port 3702 will prevent the traffic from hitting your servers“:

Cisco style ACLs 
ipv4 access-list [ACCESS-LIST NAME] 1 deny udp any eq 3702 host [TARGET IP] 
ipv4 access-list [ACCESS-LIST NAME] 2 deny udp any host [TARGET IP] fragments
Linux iptables ACL
iptables -A INPUT -i [interface] -p udp -m udp –sport 3702 -j DROP

https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html

References

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.