DDoS attack leveraging WSD protocol amplified attack strength by 'more than 15,300 per cent'

Attack generated 35Gbps of junk traffic at peak bandwidth

Security researchers from Akamai said they recently witnessed a massive DDoS attack abusing a UDP amplification tool known as WS-Discovery.

WS-Discovery (Web Services Dynamic Discovery or WSD) is a communication protocol that helps network-connected devices in automatically discovering web-based services inside networks.

WSD is based on user datagram protocol (UDP) and is currently being used by nearly one million devices, including cameras, DVRs, printers, and Internet-of-things (IoT) devices, enabling them to connect to one another.

Using WSD, devices can send UDP packets describing the device requirements and capabilities over port 3702.

According to Akamai, members of its Security Intelligence Response Team (SIRT) recently observed a distributed denial of service (DDoS) attack, exploiting WSD, to target one of Akamai's customers in the gaming industry.

At peak bandwidth, the attack generated 35Gbps of junk traffic. Last year, researchers had observed a record-setting DDoS attack that produced 1.7Tbps of junk traffic at peak.

According to Akamai, with additional research into WSD protocol, SIRT researchers were able to achieve amplification rates of up to 15,300 per cent of the original byte size, placing it on the fourth place on the DDoS attacks leader board, for highest reflected amplification factor.

Akamai believes a number of threat actors have started leveraging this DDoS method to speed up attacks on targets.

WSD can be easily exploited due to poor implementation. To hit a target, an attacker sends a UDP packet with a fake return IP address to a device's WS-Discovery service. In return, the device sends back a reply to the forged IP address, allowing the attacker to bounce junk traffic at the target device.

According to Akamai, WSD - like several other LAN-centric technologies - was not meant to live in an era of constant connectivity.

"As manufacturers pushed out hardware with this service (improperly) implemented, and users deployed this hardware across the internet, they've inadvertently introduced a new DDoS reflection vector that has already begun to see abuse," Jonathan Respeto from Akamai wrote in a blog post.

More than 630,000 connected devices vulnerable to WSD attacks are currently discoverable on the internet, giving attackers a lot of amplification points.

So, what can organisations do to prevent such attacks? Not much, according to Respeto.

"The only thing we can do now is wait for devices that are meant to have a 10- to 15-year life to die out, and hope that they are replaced with [a] more secured version," he said.

But, in the meantime, organisations can definitely take some precautions, such as adding ACLs, blocking ports, and installing critical updates to mitigate risks to some extent.