ZDNet first learned that this protocol was being used to launch DDoS attacks back in May, but we decided not to publish anything about it, to avoid bringing unnecessary attention to a protocol that was ripe for abuse but was still flying under the radar.
However, during the recent month, multiple threat groups have started abusing the protocol, and WS-Discovery-based DDoS attacks have now become a weekly occurrence.
What is WS-Discovery
WS-Discovery is a multicast protocol that can be used on local networks to "discover" other nearby devices that communicate via a particular protocol or interface.
Most notably, the protocol is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets -- hence why it's sometimes referred to as SOAP-over-UDP.
WS-Discovery is not a common or well-known protocol, but it's been adopted by ONVIF, an industry group that promotes standardized interfaces for interoperability of networked products.
ONVIF members include Axis, Sony, Bosch, and others, who use ONVIF standards as the basis for their products. Since the mid-2010s, the group's standard has recommended the WS-Discovery protocol for device discovery as part of plug-and-play interoperability [page 9].
As part of this sustained standardization effort, the protocol has made it into a slew of products that include anything from IP cameras to printers, and from home appliances to DVRs. Currently, according to internet search engine BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol and are ripe for abuse.
WS-Discovery DDoS attacks can reach massive outputs
There are multiple reasons why the WS-Discovery protocol is so ideal for DDoS attacks.
First off, it's an UDP-based protocol, meaning the packet destination can be spoofed. An attacker can send a UDP packet to a device's WS-Discovery service with a forged return IP address. When the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of their DDoS attacks.
Second, the WS-Discovery response is many times larger than the initial input. This allows attackers to send an initial packet to a WS-Discover device, which bounces the response to a DDoS attack victim at multiple times its initial size.
This is what security researchers call a DDoS amplification factor, and this allows attackers with access to limited resources to launch massive DDoS attacks by amplifying junk traffic on vulnerable devices.
In the case of WS-Discovery, the protocol has been observed in real-world DDoS attacks with amplification factors of up to 300, and even 500. This is a gigantic amplification factor, taking into account that most other UDP protocols have similar factors of up to 10, on average.
The good news is that there have been very few WS-Discovery DDoS attacks with amplification factors of 300 or 500, which appear to be the oddity, rather than the norm.
Nonetheless, a proof-of-concept script for launching WS-Discovery DDoS attacks published on GitHub in late 2018 claims it can achieve between 70 and 150 amplification factors [ZDNet will not be linking to the script, for obvious reasons], so there is still a danger that a sophisticated threat actor will eventually weaponize this protocol to its full potential.
Past WS-Discovery DDoS attacks
First attacks abusing the WS-Discovery protocol on a large scale have been first reported in early May by security researcher Tucker Preston.
The researcher told ZDNet that he observed over 130 DDoS attacks at the time, with some reaching sizes of over 350 Gbps. These attacks were later confirmed by Netscout in a report published last month [page 28].
Attacks subsided in the following months, but they picked up again in August, ZeroBS told ZDNet today.
Unlike the first waves of WS-Discovery attacks, these were much smaller and were most likely carried out by threat actors who weren't fully aware of the protocol's capabilities, or they didn't have the technical means to exploit it at its full potential.
ZeroBS said these latter attacks only reached a maximum of 40 Gbps, amplification factors of no more than 10, and that only 5,000 devices (mostly IP cameras and printers) had been corralled into the botnets that were launching these attacks.
Right now, WS-Discovery DDoS attacks haven't reached a stage where they happen daily, nor are they being used at their full potential, with many attacks still using only a fraction of the total WS-Discovery devices available online, and only achieving small amplification factors.
However, the large number of devices that are currently exposing the WS-Discovery port 3702 on the internet will make this protocol a favorite among botnet operators in the coming months.
Internet service providers still have time to deploy protective measures at their network boundaries to block traffic from the internet that targets the 3702 port on devices inside their network.
Simple solutions like these will help prevent botnets from abusing these devices for future attacks, but, as we've seen in the past, deploying such measures usually takes a few months, and there's always a few ISPs that fail to act and leave devices exposed on the internet that faciliate future DDoS attacks.