New DDoS Amplification Vector WS Discovery Protocol

A new attack vector was identified in the first half of 2019. Attackers have been abusing the Web Services Discovery (WS-Discovery, WS-DD or WSD) protocol since the middle of the year.* It is a multicast discovery protocol for locating LAN services. Communication is carried out using SOAP via UDP on the source port 3702. The standard was published in 2005.

As of October 2019, the new vector already seems to have become a well-established tool for DDoS criminals and booter services. During the aggressive and high-volume DDoS attacks in the name of Fancy Bear, WS Discovery was repeatedly registered as a reflection vector.

The amplification method has the potential to cause major damage.The resulting amplification factor can peak at up to 100 times the original attack. For comparison: DNS has an amplification factor of 28 to 54, CLDAP of 56 to 70. Previously registered attacks using WSD have achieved bandwidth peaks of over 100 Gbps.

Hundreds of thousands of IP addresses with WS Discovery services worldwide, such as cameras and printers, are unprotected and can be misused for attacks. To minimize the security risk, the LSOC recommends disabling the WSD protocol and blocking it in Windows Firewall.

This is not the first time that DDoS attackers have rediscovered established, long-standing protocols. Attackers constantly identify new vulnerabilities and open services that can be misused for overload attacks. Recent Memcached and CLDAP attacks have shown that IT administrators are constantly faced with new attack techniques.

* zero.bs: New DDoS Attack-Vector via WS-Discovery/SOAPoverUDP, Port 3702, 16.08.2019