WS-Discovery Misconfiguration Allows DDoS Amplification

Thousands of internet connected devices, including, printers, cameras, DVRs, and other IoT gadgets can be used to amplify DDoS (distributed denial-of-service) attacks. These devices are misconfigured to listen for, and respond to WS-Discovery protocol requests. WS-Discovery (WSD) is a communications protocol used to automatically discover internet connected devices inside of networks.

Most automated service discovery and configuration protocols, including WSD were made for use on local networks. But, due to insecure implementations many devices expose these protocols to the broader internet. This exposure allows attackers to use these devices for DDoS attacks.

According to a new report by Akamai, bad actors have already started leveraging WSD as a technique to amplify DDoS attacks. Akamai says their customer in the gaming industry was hit with a WSD flood peaking at 35 Gbps.

As the report explains the problem, “Since UDP is a stateless protocol, requests to the WSD service can be spoofed. This ultimately causes the impacted server, or service, to send responses to the intended victim, consuming large amounts of the target’s bandwidth. Attacks powered by poorly implemented IoT services are a very common DDoS type, and we’ve seen them leveraged in large attacks before (including the attack against Dyn in 2016). Other common reflection DDoS types have been observed in the past as well, such as the 1.3Tbps attack in 2018 due to memcached.”

The 2018 DDoS attacks the researchers reference used what was at the time an obscure method to send responses that were 10,000 times larger than their initial query. Theoretically these responses could be up to 51,000 times the size of the original request. In that hack the amplification source was misconfigured servers for memcached, a database caching system.

DDoS amplification uses machines under a hackers control, to send queries to other devices. By setting the IP address of packets to be the IP address of the target, the queried servers will send the responses to the victim, and not the attackers’ devices.

According to Ars TechnicaThe common thread among WSD, memcached, NTP, and other widely abused amplification vectors is the user datagram protocol. UDP traffic is often described as “stateless” and “connectionless” because all parameters are contained in each packet at the time it is sent. That makes UDP traffic susceptible to forgeries that misidentify the party sending the data. Amplification attacks seize on this weakness. An attacker sends a server or device a large number of queries that replace their true origination location with the IP address of the DDoS target. The device or server then sends the target an equal number of replies that are much, much larger than the spoofed request it just received.”

To mitigate some risk organisations can block UDP source port 3702 in their gateway devices and firewalls. However, this traffic can still cause network congestion, meaning, complete mitigation will likely require advanced access control lists.

Header Image by Infosec Images 

Comments are closed, but trackbacks and pingbacks are open.