Posted on August 29, 2019 at 5:57 AM
Yet another security alarm has been started by researchers and specialists in the industry, as the newly spotted Web Services Dynamic Discovery (called WS-Discovery, WA-DD or simply WSD) protocol is currently being used and abused by cybercriminals to perform devastating Distributed Denial of Service (DDoS) attacks.
According to ZDNet, they have been aware of the existence of the protocol since May, the moment in which the publication first learned about it. It was already being used to perform DDoS attacks at the time, but the platform didn’t publish anything to avoid promoting a still-under-the-radar threat.
The Web Services Dynamic Discovery
But the situation has changed. In August, several malicious entities are abusing the protocol, and DDoS attacks based on the Web Services Dynamic Discovery are becoming increasingly common and dangerous.
The Web Services Dynamic Discovery is defined as a multicast protocol. It can be used in local networks with the intention of spotting devices located nearby that can establish communication via a specific interface or protocol.
To be more specific, the WS Discovery protocol is used as a resource to support inter-device discovery through the SOAP messaging format, one that uses UDP packets. That is why some people refer to it as SOAP-over-UDP.
The WSD isn’t a particularly common protocol, but recently, a prominent association adopted it: the ONVIF. The ONVIF is a group that promotes industrialized interfaces to make networked goods and products interoperable.
Some of the most famous members of the ONVIF are Bosch, Axis, and Sony, among many others. Those brands use ONVIF’s standards as the basis of their offered products. The association has recommended the WS-Discovery protocol since the middle of the current decade, as an important part of its plug-and-play interoperability.
Present in Several Devices
As more companies try to standardize their products and operations, the WS-Discovery protocol has found its way towards numerous items, including IP cameras, home appliances, printers, DVRs, and other devices.
Right now, though, the protocol is present in approximately 630,000 ONVIF-based devices, per data from online search engine BinaryEdge, which means that they are all vulnerable to be abused through the DDoS attack.
A DDoS attack, for reference, refers to an event in which network or device is deemed unusable because it has been flooded with numerous traffic requests coming from more than one IP address. The servers involved are collapsed with superfluous requests, and the network or gadget stops performing even the most basic operations.
Why Is It Prone to DDoS Attacks?
The WS-Discovery protocol is ideal for DDoS attacks for several reasons. One of them is because it is based on the UDP protocol, which usually means that the packet destination is prone to be spoofed. A person or entity can simply send a UDP packet to a device’s WS-Discovery service with a forged return IP address, and at the moment of the device sending its response, it will do it to the mentioned forged IP number. That situation opens up an opportunity for attackers to send traffic on WSD devices and direct it to the target they desire.
Another reason is that the WSD’s reply is several times bigger than the original input, letting cybercriminals or attacking entities send an initial packet to a WS-Discovery device, which will, in turn, bounce the response to the target of a DDoS attack at several times the original size. It is dubbed the DDoS amplification factor and is extremely dangerous since it lets attackers multiply the magnitude of their offenses.
The protocol has been associated with DDoS attacks with amplification factors of 300 or 500, a monstrous number given that other UDP protocols often reach a maximum of 10. However, the DDoS attacks with such power have been rare.
The threat remains, given that a proof-of-concept script for launching DDoS attacks that made its way to GitHub last year claims it can achieve 70-150 amplification factors. That is more than enough to turn the protocol into a weapon.