New DDoS Amplification Vector WS Discovery Protocol
A new attack vector was identified in the first half of 2019. Attackers have been abusing the Web Services Discovery (WS-Discovery, WS-DD or WSD) protocol since the middle of the year.* It is a multicast discovery protocol for locating LAN services. Communication is carried out using SOAP via UDP on the source port 3702. The standard was published in 2005.
As of October 2019, the new vector already seems to have become a well-established tool for DDoS criminals and booter services. During the aggressive and high-volume DDoS attacks in the name of Fancy Bear, WS Discovery was repeatedly registered as a reflection vector.
The amplification method has the potential to cause major damage.The resulting amplification factor can peak at up to 100 times the original attack. For comparison: DNS has an amplification factor of 28 to 54, CLDAP of 56 to 70. Previously registered attacks using WSD have achieved bandwidth peaks of over 100 Gbps.
Hundreds of thousands of IP addresses with WS Discovery services worldwide, such as cameras and printers, are unprotected and can be misused for attacks. To minimize the security risk, the LSOC recommends disabling the WSD protocol and blocking it in Windows Firewall.
This is not the first time that DDoS attackers have rediscovered established, long-standing protocols. Attackers constantly identify new vulnerabilities and open services that can be misused for overload attacks. Recent Memcached and CLDAP attacks have shown that IT administrators are constantly faced with new attack techniques.
* zero.bs: New DDoS Attack-Vector via WS-Discovery/SOAPoverUDP, Port 3702, 16.08.2019
Current articles
Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.
Follow Link11 on Twitter
RT @MarcWilczek: Distributed disruption: Coronavirus multiplies the risk of severe cyberattacks https://t.co/ReevZfLkfj #DDoS #Cybercrime…
1 Retweets 0
Read MoreRT @cloudfest: Ready to get innovative on #cybersecurity with @MarcWilczek from @Link11GmbH? He invites you to #CloudFest 2021! Join the re…
5 Retweets 0
RT @MarcWilczek: We’ve just remotely completed the 2021 Kick Off @Link11GmbH. New regions, new people, new products, and new clients. No…
7 Retweets 0
Allianz: More than 600 million Euros in losses due to Cyber-Extortion via #DDoS Attacks and #Ransomware.…
2 Retweets 0
Read MoreWhat does the end of the Privacy Shield means really for CDN users? Things have changed dramatically regarding data…
1 Retweets 2
Read MoreRT @CSOonline: How #DDoS attacks are evolving — Denial-of-service attacks have been part of the criminal toolbox for 20 years, and they’re…
8 Retweets 0
DDoS attacks and ransomware lead to increasing losses from cyber extortion. Our new blog article takes a detailed l…
3 Retweets 0
Read MoreRT @MarcWilczek: The average cost of a #databreach equals $116 million. Sensitivity of customer information and time-to-detection determine…
11 Retweets 0
Our COO Marc Wilczek takes a look at the current security situation and explains why the threat is not only omnipre…
3 Retweets 1
Read MoreRT @MarcWilczek: 639 #cybersecurity breaches at public comps analyzed, #malware (34%), #phishing (25%), & unauthorized access (20%) were th…
5 Retweets 0
RT @MarcWilczek: #Link11 keeps hiring and expanding. With great pleasure, I want to warmly welcome both Susan Herrmann and Peter Hoeld on b…
6 Retweets 0