By abusing an improperly implemented tool present in almost 1m network-connected cameras, DVRs and other IoT devices, hackers have discovered a new technique to amplify the effects of denial-of-service attacks.
The new technique abuses the WS-Discovery (WSD) protocol which is used by a wide array of network devices to automatically connect to one another. The WSD protocol allows devices to send user datagram protocol (UDP) packets over port 3702 to describe the capabilities and requirements of a device.
However, devices that receive these probes can respond with replies that can be tens to even hundreds of times bigger and this allows hackers to amplify the power of their DDoS attacks.
- Wikipedia goes offline following DDoS attack
- DDoS attacks soar after long period of decline
- Telegram hit in major DDoS attack
Depending on the device, these responses can be anywhere from seven to 153 times bigger and this amplification makes WSD one of the most powerful techniques in a hacker's arsenal for amplifying DDoS attacks which can be crippling to businesses and consumers.
Amplified DDoS attacks
Researchers at Akamai were recently in the process of investigating WSD-based attacks when one of their customers in gaming industry fell victim to such an attack. At its peak, the DDoS attack using WSD amplification generated 35GB per second of junk traffic.
This attack was nowhere close to the 990Gbps DDoS attack caused by security cameras back in 2016 but the new technique being employed by hackers is still cause for concern due to the pool of available devices which Akamai estimates is over 802k.
In a blog post (opens in new tab) detailing Akamai's findings, Jonathan Respeto explained why WSD poses a major risk and how businesses should prepare for a new wave of DDoS attacks soon, saying:
“WSD is a major risk on the Internet that can push some serious bandwidth using CCTV and DVRs. Once more, we see security take a back seat for the sake of convenience. Manufacturers can just limit the scope of the UDP protocol on port 3702 to the multicast IP space. The only thing we can do now is wait for devices that are meant to have a 10/15 year life to die out, and hope that they are replaced with more secured version. Everyone is a potential target for WSD attacks, so organizations should be ready to route traffic to their DDoS mitigation provider if they're hit with this large attack. Due to its large amplification factors, we expect that attackers will waste little time in leveraging WSD for use as a reflection vector.”
- We've also highlighted the best DDoS protection of 2019
Via Ars Technica (opens in new tab)