SoylentNews is people
SoylentNews
from the ddos-amplification-turned-up-to-11 dept.
Submitted via IRC for SoyCow2718
Protocol used by 630,000 devices can be abused for devastating DDoS attacks
Security researchers are sounding the alarm about the Web Services Dynamic Discovery (WS-DD, WSD, or WS-Discovery) protocol, which they say can be abused to launch pretty massive DDoS attacks.
ZDNet first learned that this protocol was being used to launch DDoS attacks back in May, but we decided not to publish anything about it, to avoid bringing unnecessary attention to a protocol that was ripe for abuse but was still flying under the radar.
However, during the recent month, multiple threat groups have started abusing the protocol, and WS-Discovery-based DDoS attacks have now become a weekly occurrence.
WS-Discovery is a multicast protocol that can be used on local networks to "discover" other nearby devices that communicate via a particular protocol or interface.
Most notably, the protocol is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets -- hence why it's sometimes referred to as SOAP-over-UDP.
WS-Discovery is not a common or well-known protocol, but it's been adopted by ONVIF, an industry group that promotes standardized interfaces for interoperability of networked products.
ONVIF members include Axis, Sony, Bosch, and others, who use ONVIF standards as the basis for their products. Since the mid-2010s, the group's standard has recommended the WS-Discovery protocol for device discovery as part of plug-and-play interoperability [page 9].
As part of this sustained standardization effort, the protocol has made it into a slew of products that include anything from IP cameras to printers, and from home appliances to DVRs. Currently, according to internet search engine BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol and are ripe for abuse.
There are multiple reasons why the WS-Discovery protocol is so ideal for DDoS attacks.
First off, it's an UDP-based protocol, meaning the packet destination can be spoofed. An attacker can send a UDP packet to a device's WS-Discovery service with a forged return IP address. When the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of their DDoS attacks.
Second, the WS-Discovery response is many times larger than the initial input. This allows attackers to send an initial packet to a WS-Discover device, which bounces the response to a DDoS attack victim at multiple times its initial size.
This is what security researchers call a DDoS amplification factor, and this allows attackers with access to limited resources to launch massive DDoS attacks by amplifying junk traffic on vulnerable devices.
In the case of WS-Discovery, the protocol has been observed in real-world DDoS attacks with amplification factors of up to 300, and even 500. This is a gigantic amplification factor, taking into account that most other UDP protocols have similar factors of up to 10, on average.
The good news is that there have been very few WS-Discovery DDoS attacks with amplification factors of 300 or 500, which appear to be the oddity, rather than the norm.
According to ZeroBS GmbH, a cyber-security firm that's been tracking the recent wave of WS-Discovery DDoS attacks that have taken place this month, a more common amplification factor was a normal one of up to 10.
Nonetheless, a proof-of-concept script for launching WS-Discovery DDoS attacks published on GitHub in late 2018 claims it can achieve between 70 and 150 amplification factors [ZDNet will not be linking to the script, for obvious reasons], so there is still a danger that a sophisticated threat actor will eventually weaponize this protocol to its full potential.
(Score: 5, Interesting) by Hyperturtle on Wednesday August 28 2019, @02:29PM
Oh this is common and very well used. So well used people don't even know its there, unless you're a person that looks under the hood and tries to figure out what all this noise is on the network and why is it so hard to control the hardware now.
This is one of the many things introduced into new OSes that were advertised as more secure, more private, more easier and better for consumers because Cloud Enabled with syncing, etc. I think it started with Vista but gained a lot of ground after Windows 7 came out. It adds a whole lot of noise to packet captures... and often is not useful to anyone that wants to asset actual control over the network, you know, in an effort to prevent outcomes like the article describes. Convenience is the enemy a lot of the time, you know. Ignorance is a close second because Convenience enables Ignorance, and without the convenience, we just might have less security issues... but I have digressed...
I have tried to avoid this method of resource discovery on nearly everything I can that I own or manage; rarely is it useful for me and often it just causes problems because I seem to be unorthodox in how I manage hardware (I give non-computers on the network static IPs or if I am motivated, DHCP mac address reservations). This causes issues with some hardware that wants to forcibly mate, or infect, machines found on the network and happily interface with things I don't want to talk to it. Yeah those packets are dropped if not intended for the workstation, but its the principle of the matter. Dumbing it down doesn't help people looking for an intelligent network they can trust to remain secure...
WSD, at first for me at least, pretty much felt like a way to forcefully end older client and server OS connectivity by forcing a different, preferred by the OS way to find machines and file shares, and if you tried to secure devices using WSD to not do so, they "disappeared" from the network because other systems using WSD would simply not use NETBIOS or DNS or something to look up things instead. They just assumed the printer or whatever didn't exist, and presented no hints as to any other outcome. By applying security in mixed topologies like this, someone keeping up with security threats looks more like a doofus that doesn't know what he's doing because the exectuves say stuff works at home and their kid set it up. Even though the situations have changed over the years, it's still the same as far as that goes.
Security standards that are old, that I still *try* to adhere to, generally suggest that a device should not be soliciting data automatically to something that you don't know about--someone shouldn't be able to plug a device into the network that can respond to WSD queries and cause these issues because convenience is more important, but its never too late to blame the victim for not securing their hardware. I don't expect Visa and Windows 7 to get updates to completely change the way they look for network resources (I mean--they did--when they received WSD--but what the lord giveth in this case will likely be an upgrade to windows desktop subscription services, as opposed to takething the protocol away and implementing a more secure approach.)
This is a protocol mostly resulting from a concerted effort to keep people ignorant and take control away from those that are trying to understand what is going on with their hardware or network. It isn't a nefarious approach to things, it is almost like a concession that even USB cables proved to be too complicated or not long enough for people and where they want the printer to sit, that networks are too hard for people and default IP addreses conflicted too much because too many vendors kept using the same default IPs and it started to cost a lot in helpdesk calls to help resolve conflicts that people didn't understand because it was made so easy it was hard to fix. And that wizards demanded too many multiple choice answers sometimes and that caused stress that could be avoided if everything could see each other on the same network segment.
I don't want to say it's like Apples "Bonjour" for anyone familiar with it, but there are similarities in the approach, if not exactly how it all works. More network noise in any event.
The fact it can be abused isn't surprising news, whats news is that someone figured out a lowest common denominator way to abuse it now that the WSD protocol has grown largely unchecked. And now they are making money selling that abuse potential, also profiting from continued ignorance about the protocol that comes enabled as part of the OS install. Just think of it as a wizard protocol on the network, I guess, but now the wizard is offering bad advice, too. I mostly have tried to avoid and suppress it for my stuff at least (since I want to keep control...), but it's a fact of life due to the continuing dumbing down of user hardware--mostly printers and streaming devices, stuff like that have hard to use control panels if any at all.
In most cases, the traffic stays local, but if a WSD device is compromised and starts instructing hardware to send out unicast traffic, then it's no different than any other orbiting ion cannons or IoT problems we've heard of before--just another way to easily do the same thing, mostly due to catering to ignorance because wizards became too hard*
*I might be biased... someone else might have a more positive spin on the protocol.