Posted on September 20, 2019 at 3:49 AM
Akamai Unveils Fourth-Largest DDoS Exploit That Uses the WSD Vulnerability
On Wednesday, researchers at the Akamai company unveiled what is believed to be the fourth most prominent DDoS (Distributed Denial of Service) attack that it has ever discovered, via the dreaded WSD (WS Discovery) exploit through the UDP protocol.
WSD is a connectivity technology found on consumer devices of several kinds. As it turns out, and per information provided by Akamai Security Intelligence Response Team Engineer Jonathan Respeto, it targeted an Akamai client in the gaming world.
Investigators and specialists on the matter explained that any offense that targets networks while taking advantage of the WDS vulnerability could be devastating, as it could reach amplification rates of more than 15,000 percent of its initial byte size.
The WS Discovery
WS Discovery’s probes are often implemented by machines present on a LAN as a resource to discover and configure specific services and devices. For example, if you have ever wondered how does a Windows computer to spot and set up a printer connected to a network, it is through the WSD.
However, the WSD is prone to be used by attackers for malicious objectives, because it triggers an XML error response from WSD. This can be achieved if the cybercriminals or bad actor sends a 29-byte malformed payload, per the Akamai report.
The publication stresses that sometimes, all that is needed is an 18-byte payload, which has a probe that is 43% smaller than the regular one and 900% smaller than the minimum one that is considered valid. Granted, it would trigger a smaller reply, but it also comes with a huge amplification ratio that is just as dangerous.
Akamai explains that using a padding overflow approach would pad the error response to 2,762 bytes, enough to multiply the amplification factor and take it to 15,300 percent. Respeto said that several hackers have started leveraging the WSD to power up their DDoS attacks.
An Omnipresent Threat
Yet, the real factor that makes the WSD so dangerous and hard to stop is that the technology behind it is omnipresent and can be found in lots of internet-connected devices, operating systems, HP printers, and other appliances. Recently, it was reported that more than 600,000 devices use the technology, which means that a broad universe of machines could be threatened by a potential DDoS attack.
Another cause for concern is that it is very easy to exploit the WSD by poor implementation before WSD wasn’t originally destined to hit the web. In fact, it was born prior to the digital, Internet-centric era.
Companies started to manufacture hardware with the poorly implemented service, but what anybody was counting on was the fact that users, after acquiring the appliances and devices, were going to deploy them all around the web. Without knowing it, they introduced a new threat in the form of a DDoS reflection vector, according to Respeto.
Respeto kept on warning the Internet community, saying that WSD-leveraged attacks can be devastating and the hackers don’t require much in terms of resources to perpetrate an offensive towards an entity.
A Stateless Protocol
A targeted victim can see its bandwidth abused by a WSD-centered attack because requests to the WSD service are able to be spoofed, given that UDP is a stateless protocol. If spoofed, the affected server will send replies that will collapse the whole system.
According to what Akamai told Threatpost, the approach is widely used and has affected users of some high-profile sites in the past, such as GitHub, Spotify, Twitter, and others.
Although the WSD-related vulnerability has existed for quite some time, now hackers and cybercriminals around the world are aware of the fact that they can leverage the technology to perform large-scale DDoS attacks.
The scariest part is that companies can’t do much to avoid the situation: per Respeto, they can only patiently wait for vulnerable devices that have a lifespan of 10 to 15 years to slowly disappear and hope that the next batch that replaces them is safer.
