New DDoS Amplification Vector WS Discovery Protocol
A new attack vector was identified in the first half of 2019. Attackers have been abusing the Web Services Discovery (WS-Discovery, WS-DD or WSD) protocol since the middle of the year.* It is a multicast discovery protocol for locating LAN services. Communication is carried out using SOAP via UDP on the source port 3702. The standard was published in 2005.
As of October 2019, the new vector already seems to have become a well-established tool for DDoS criminals and booter services. During the aggressive and high-volume DDoS attacks in the name of Fancy Bear, WS Discovery was repeatedly registered as a reflection vector.
The amplification method has the potential to cause major damage.The resulting amplification factor can peak at up to 100 times the original attack. For comparison: DNS has an amplification factor of 28 to 54, CLDAP of 56 to 70. Previously registered attacks using WSD have achieved bandwidth peaks of over 100 Gbps.
Hundreds of thousands of IP addresses with WS Discovery services worldwide, such as cameras and printers, are unprotected and can be misused for attacks. To minimize the security risk, the LSOC recommends disabling the WSD protocol and blocking it in Windows Firewall.
This is not the first time that DDoS attackers have rediscovered established, long-standing protocols. Attackers constantly identify new vulnerabilities and open services that can be misused for overload attacks. Recent Memcached and CLDAP attacks have shown that IT administrators are constantly faced with new attack techniques.
* zero.bs: New DDoS Attack-Vector via WS-Discovery/SOAPoverUDP, Port 3702, 16.08.2019
Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.
Follow Link11 on Twitter
We had a great time at Wisdom of Crowds 2019 in London sharing our vision and ideas with other industry leaders and…
4 Retweets 2Read More
That was a great first day at IT-SA in Nuremberg! Today, we talked to Lasse Berger from Bayerischer Rundfunk about…
1 Retweets 2Read More
We are having a great time at it-sa - The IT Security Expo and Congress with Link11 COO Marc Wilczek on stage, tal…
2 Retweets 1Read More
Cybersecurity incidents are expected to rise by an alarming 70% by 2024. As the world is going digital, criminal ac…
0 Retweets 0Read More
Meet the team! Visit our booth (10.0-413) at it-sa 2019 from October 8-10 in Nuremberg and talk to our experts!…
1 Retweets 3Read More