Attackers can abuse the Web Services Dynamic Discovery (WS-Discovery) protocol to launch massive distributed denial of service (DDoS) campaigns, researchers said.
Warnings went out after researchers saw attackers abuse the WS-Discovery protocol in different DDoS campaigns over the past few months, according to a report with Trend Micro.
The first DDoS campaign using the WS-Discovery protocol was discovered in May by security researcher Tucker Preston, who observed 130 DDoS attacks that reached sizes of over 350 Gbps. The attack subsided over the following months, but reemerged in campaigns on a smaller scale, as reported by ZeroBS.
The second wave of attacks reached a maximum of 40 Gbps, involving botnets that used 5,000 devices, most of which were IP cameras and printers.
Technology website ZDNet was aware of the protocol’s abuse since the initial May discovery, but withheld disclosure to not show how cybercriminal groups could make use of the protocol for their own DDoS attacks. However, more cybercriminal groups may have already discovered it on their own. Security researchers are now issuing warnings so potentially affected parties can take precautionary measures.
Despite being a relatively uncommon protocol, ONVIF (a global and open industry forum that facilitates the development and promotion of standardized interfaces for IP-based security products) has been recommending the WS-Discovery protocol for device discovery and plug-and-play interoperability since 2010, according to the Trend Micro report.
Members of ONVIF include major tech brands that likely followed this recommendation. This could explain how the WS-Discovery protocol has found its way to thousands of devices. According to the web search engine BinaryEdge, approximately 630,000 ONVIF-based devices use the WS-Discovery protocol.
The widespread use of the protocol, combined with several other technical characteristics, makes it an ideal DDoS campaign tool.
WS-Discovery is a multicast discovery protocol used for locating services or nearby devices on a local network. To support inter-device discovery, it uses SOAP (Simple Object Access Protocol) messages over the UDP (User Datagram Protocol) transport protocol.
As a UDP-based protocol, WS-Discovery can allow attackers to conduct typical UDP flood attacks and spoof the packet destination. An attacker can, for example, send a UDP packet with a fake return IP address to a device’s WS-Discovery, so the device sends a reply to the fake IP address. This allows attackers to redirect traffic to the target of their DDoS campaign.
In addition, WS-Discovery responses can be several times larger than the input it receives. An attacker can use this characteristic to send an initial packet to a device’s WS-Discovery, whose response will be redirected to the DDoS attack target. The target will then receive a packet several times larger than the original packet size.
This isn’t the first time standard protocols exposed devices or systems to attacks. Threats involving protocols have become critical points of defense, since they are closely embedded in devices, systems, and applications, according to the Trend Micro report. At the same time, protocols can lead to vulnerabilities and attacks from unassuming yet critical devices.
Communication protocols have also become especially crucial systems that use the Internet of Things (IoT) and the Industrial Internet of Things (IIoT), where weaknesses and misconfigurations regarding these protocols can lead to more than just exposed records.