SoylentNews

upstart writes:

Submitted via IRC for SoyCow2718

Protocol used by 630,000 devices can be abused for devastating DDoS attacks

Security researchers are sounding the alarm about the Web Services Dynamic Discovery (WS-DD, WSD, or WS-Discovery) protocol, which they say can be abused to launch pretty massive DDoS attacks.

ZDNet first learned that this protocol was being used to launch DDoS attacks back in May, but we decided not to publish anything about it, to avoid bringing unnecessary attention to a protocol that was ripe for abuse but was still flying under the radar.

However, during the recent month, multiple threat groups have started abusing the protocol, and WS-Discovery-based DDoS attacks have now become a weekly occurrence.

WS-Discovery is a multicast protocol that can be used on local networks to "discover" other nearby devices that communicate via a particular protocol or interface.

Most notably, the protocol is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets -- hence why it's sometimes referred to as SOAP-over-UDP.

WS-Discovery is not a common or well-known protocol, but it's been adopted by ONVIF, an industry group that promotes standardized interfaces for interoperability of networked products.

ONVIF members include Axis, Sony, Bosch, and others, who use ONVIF standards as the basis for their products. Since the mid-2010s, the group's standard has recommended the WS-Discovery protocol for device discovery as part of plug-and-play interoperability [page 9].

As part of this sustained standardization effort, the protocol has made it into a slew of products that include anything from IP cameras to printers, and from home appliances to DVRs. Currently, according to internet search engine BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol and are ripe for abuse.

There are multiple reasons why the WS-Discovery protocol is so ideal for DDoS attacks.

First off, it's an UDP-based protocol, meaning the packet destination can be spoofed. An attacker can send a UDP packet to a device's WS-Discovery service with a forged return IP address. When the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of their DDoS attacks.

Second, the WS-Discovery response is many times larger than the initial input. This allows attackers to send an initial packet to a WS-Discover device, which bounces the response to a DDoS attack victim at multiple times its initial size.

This is what security researchers call a DDoS amplification factor, and this allows attackers with access to limited resources to launch massive DDoS attacks by amplifying junk traffic on vulnerable devices.

In the case of WS-Discovery, the protocol has been observed in real-world DDoS attacks with amplification factors of up to 300, and even 500. This is a gigantic amplification factor, taking into account that most other UDP protocols have similar factors of up to 10, on average.

The good news is that there have been very few WS-Discovery DDoS attacks with amplification factors of 300 or 500, which appear to be the oddity, rather than the norm.

According to ZeroBS GmbH, a cyber-security firm that's been tracking the recent wave of WS-Discovery DDoS attacks that have taken place this month, a more common amplification factor was a normal one of up to 10.

Nonetheless, a proof-of-concept script for launching WS-Discovery DDoS attacks published on GitHub in late 2018 claims it can achieve between 70 and 150 amplification factors [ZDNet will not be linking to the script, for obvious reasons], so there is still a danger that a sophisticated threat actor will eventually weaponize this protocol to its full potential.

Original Submission