Misconfigured WS-Discovery in devices enable massive DDoS amplification

Researchers were able to achieve amplification rates of up to 15,300%. Some mitigations are possible.

Hundreds of thousands of devices can be abused to amplify distributed denial-of-sevice (DDoS) attacks because they are misconfigured to listen and respond to WS-Discovery protocol requests over the internet. Web Services Dynamic Discovery (WS-Discovery or WSD) is an UDP-based communications protocol used to automatically discover web-based services inside networks. It’s been used by printers, cameras and other types of devices for over a decade, including by various Windows features starting with Windows Vista.

Most automated service discovery and configuration protocols, including UPnP (Universal Plug and Play), SSDP (Simple Service Discovery Protocol), Simple Network Management Protocol (SNMP) and WSD were designed for use on local networks. However, many devices come with insecure implementations that expose these protocols to the internet, allowing for attackers to abuse them in DDoS reflection and amplification attacks.

What is DDoS reflection?

Unlike TCP, UDP does not perform any IP source validation, which makes most UDP-based protocols vulnerable to IP spoofing by default. In turn, this allows attackers to hide the source of DDoS traffic by “reflecting” it through machines that respond over such protocols.

The way DDoS reflection works is this: From machines under their control, attackers send queries to other servers over an UDP-based protocol and set the source IP address inside packets to be the IP address of their intended victim. This causes the queried servers to send their responses to the victim, instead of back to the attackers’ machines.

DDoS reflection is particularly powerful when the generated responses are larger than the original requests, because it allows attackers to amplify their available bandwidth. For example, an attacker with control over ten machines can send requests to 100 devices with a vulnerable UDP-based service exposed to the internet. In turn, those devices send large responses to the victim due to IP spoofing, so the victim receives a larger number of malicious packets from 100 neutral machines instead of the ten the attacker controls.

WSD is a serious threat

In a new report published today, researchers from Akamai warn that attackers have already started abusing WSD as a DDoS amplification technique and are ramping up their attacks. In one case, an Akamai customer from the gaming industry was hit with a WSD flood that peaked at 35 Gbps.

“Additional research into WSD protocol implementations on devices across the Internet raised grave concerns, since the SIRT [Security Intelligence Response Team] was able to achieve amplification rates of up to 15,300% of the original byte size,” the Akamai researchers said in their report. “This places WSD in fourth place on the DDoS attacks leaderboard for highest reflected amplification factor.”

Akamai’s SIRT studied the WSD protocol as well as various implementations found in devices and discovered ways for attackers to significantly reduce their initial request payloads to trigger responses with huge amplification factors. For example, a standard WSD probe is 783 bytes, but Akamai’s researchers managed to reduce it to 170 bytes and still trigger a valid WSD response of 3,445 bytes.

They didn’t stop there. It turns out that it’s more profitable for attackers to send malformed payloads that would trigger WSD errors. These error responses are not as large as valid probe responses, but there are methods to enlarge them and the requests that trigger them are significantly smaller than valid probes -- 29 and even 18 bytes for some vulnerable implementations found in around 2,151 devices from a certain manufacturer.

While the pool of devices that can be abused with the 18-byte attack is quite small, the pool of devices exposed to the internet that respond to the 29-byte payloads is much bigger. In such a scenario, an attacker with a 100-Mbps connection would be able to send 420,000 requests per second with the 29-byte payload triggering 2,599-byte responses and generating an attack of 8.73 Gbits at an 8,900% amplification rate. “Get 10 nodes, and this can turn into an 87Gbps attack,” the Akamai researchers warned.

Even with valid probes and lower amplification factors, the WSD technique still poses a serious threat, since Akamai identified 802,115 devices on the internet that respond back to WSD probes with a 193% median amplification factor. Many of the devices are CCTV cameras and digital video recorders.

Mitigation for the WSD technique

Organizations can block UDP source port 3702 in their gateway devices and firewalls to prevent unsolicited WSD traffic from reaching their servers. However, the traffic can still congest the bandwidth available on their router. So, complete mitigation requires enforcing access control lists (ACLs) to block traffic from known devices with WSD exposed. DDoS mitigation providers are likely to maintain such lists, just like they do for devices with vulnerable DNS, NTP, SNMP, UPnP and other services that can be abused for DDoS reflection and amplification.

“WSD suffers from the same problem we’ve seen time and time again,” the Akamai researchers said. “WSD was designed and intended to be a LAN-scoped technology. It was never meant to live on the internet. As manufacturers pushed out hardware with this service (improperly) implemented, and users deployed this hardware across the Internet, they’ve inadvertently introduced a new DDoS reflection vector that has already begun to see abuse.”

“The only thing we can do now is wait for devices that are meant to have a 10- to 15-year life to die out and hope that they are replaced with more secured versions,” they said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about LANSimpleSNMP

Show Comments
[]