Monday, March 1, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Protocol used by 630,000 devices can be abused for devastating DDoS attacks

August 28, 2019
in Internet Security
Protocol used by 630,000 devices can be abused for devastating DDoS attacks
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Security researchers are sounding the alarm about the Web Services Dynamic Discovery (WS-DD, WSD, or WS-Discovery) protocol, which they say can be abused to launch pretty massive DDoS attacks.

ZDNet first learned that this protocol was being used to launch DDoS attacks back in May, but we decided not to publish anything about it, to avoid bringing unnecessary attention to a protocol that was ripe for abuse but was still flying under the radar.

You might also like

These four new hacking groups are targeting critical infrastructure, warns security company

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

However, during the recent month, multiple threat groups have started abusing the protocol, and WS-Discovery-based DDoS attacks have now become a weekly occurrence.

What is WS-Discovery

WS-Discovery is a multicast protocol that can be used on local networks to “discover” other nearby devices that communicate via a particular protocol or interface.

Most notably, the protocol is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets — hence why it’s sometimes referred to as SOAP-over-UDP.

WS-Discovery is not a common or well-known protocol, but it’s been adopted by ONVIF, an industry group that promotes standardized interfaces for interoperability of networked products.

ONVIF members include Axis, Sony, Bosch, and others, who use ONVIF standards as the basis for their products. Since the mid-2010s, the group’s standard has recommended the WS-Discovery protocol for device discovery as part of plug-and-play interoperability [page 9].

As part of this sustained standardization effort, the protocol has made it into a slew of products that include anything from IP cameras to printers, and from home appliances to DVRs. Currently, according to internet search engine BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol and are ripe for abuse.

WS-Discovery BE scan

Image: ZDNet

WS-Discovery DDoS attacks can reach massive outputs

There are multiple reasons why the WS-Discovery protocol is so ideal for DDoS attacks.

First off, it’s an UDP-based protocol, meaning the packet destination can be spoofed. An attacker can send a UDP packet to a device’s WS-Discovery service with a forged return IP address. When the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of their DDoS attacks.

Second, the WS-Discovery response is many times larger than the initial input. This allows attackers to send an initial packet to a WS-Discover device, which bounces the response to a DDoS attack victim at multiple times its initial size.

This is what security researchers call a DDoS amplification factor, and this allows attackers with access to limited resources to launch massive DDoS attacks by amplifying junk traffic on vulnerable devices.

In the case of WS-Discovery, the protocol has been observed in real-world DDoS attacks with amplification factors of up to 300, and even 500. This is a gigantic amplification factor, taking into account that most other UDP protocols have similar factors of up to 10, on average.

The good news is that there have been very few WS-Discovery DDoS attacks with amplification factors of 300 or 500, which appear to be the oddity, rather than the norm.

According to ZeroBS GmbH, a cyber-security firm that’s been tracking the recent wave of WS-Discovery DDoS attacks that have taken place this month, a more common amplification factor was a normal one of up to 10.

Nonetheless, a proof-of-concept script for launching WS-Discovery DDoS attacks published on GitHub in late 2018 claims it can achieve between 70 and 150 amplification factors [ZDNet will not be linking to the script, for obvious reasons], so there is still a danger that a sophisticated threat actor will eventually weaponize this protocol to its full potential.

Past WS-Discovery DDoS attacks

First attacks abusing the WS-Discovery protocol on a large scale have been first reported in early May by security researcher Tucker Preston.

The researcher told ZDNet that he observed over 130 DDoS attacks at the time, with some reaching sizes of over 350 Gbps. These attacks were later confirmed by Netscout in a report published last month [page 28].

WS-Discovery May attacks

WS-Discovery DDoS attacks, May 2019


Image via Tucker Preston

Attacks subsided in the following months, but they picked up again in August, ZeroBS told ZDNet today.

Unlike the first waves of WS-Discovery attacks, these were much smaller and were most likely carried out by threat actors who weren’t fully aware of the protocol’s capabilities, or they didn’t have the technical means to exploit it at its full potential.

ZeroBS said these latter attacks only reached a maximum of 40 Gbps, amplification factors of no more than 10, and that only 5,000 devices (mostly IP cameras and printers) had been corralled into the botnets that were launching these attacks.

WS-Discovery scan activity

Image via ZeroBS GmbH

Right now, WS-Discovery DDoS attacks haven’t reached a stage where they happen daily, nor are they being used at their full potential, with many attacks still using only a fraction of the total WS-Discovery devices available online, and only achieving small amplification factors.

However, the large number of devices that are currently exposing the WS-Discovery port 3702 on the internet will make this protocol a favorite among botnet operators in the coming months.

Internet service providers still have time to deploy protective measures at their network boundaries to block traffic from the internet that targets the 3702 port on devices inside their network.

Simple solutions like these will help prevent botnets from abusing these devices for future attacks, but, as we’ve seen in the past, deploying such measures usually takes a few months, and there’s always a few ISPs that fail to act and leave devices exposed on the internet that faciliate future DDoS attacks.


Credit: Zdnet

Previous Post

Imperva Breach Exposes WAF Customers' Data, Including SSL Certs, API Keys

Next Post

How to Make Email Campaigns Mobile-Friendly

Related Posts

These four new hacking groups are targeting critical infrastructure, warns security company
Internet Security

These four new hacking groups are targeting critical infrastructure, warns security company

February 28, 2021
Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill
Internet Security

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

February 28, 2021
TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit
Internet Security

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

February 28, 2021
Cybercrime groups are selling their hacking skills. Some countries are buying
Internet Security

Cybercrime groups are selling their hacking skills. Some countries are buying

February 28, 2021
Why would you ever trust Amazon’s Alexa after this?
Internet Security

Why would you ever trust Amazon’s Alexa after this?

February 28, 2021
Next Post
How to Make Email Campaigns Mobile-Friendly

How to Make Email Campaigns Mobile-Friendly

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

AI And Automation In HR: The Changing Scenario Of The Business
Data Science

AI And Automation In HR: The Changing Scenario Of The Business

February 28, 2021
Machine learning could aid mental health diagnoses: Study
Machine Learning

Machine learning could aid mental health diagnoses: Study

February 28, 2021
Python vs R! Which one should you choose for data Science
Data Science

Python vs R! Which one should you choose for data Science

February 28, 2021
Can Java be used for machine learning and data science?
Machine Learning

Can Java be used for machine learning and data science?

February 28, 2021
These four new hacking groups are targeting critical infrastructure, warns security company
Internet Security

These four new hacking groups are targeting critical infrastructure, warns security company

February 28, 2021
The Time-Series Ecosystem – Data Science Central
Data Science

The Time-Series Ecosystem – Data Science Central

February 28, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • AI And Automation In HR: The Changing Scenario Of The Business February 28, 2021
  • Machine learning could aid mental health diagnoses: Study February 28, 2021
  • Python vs R! Which one should you choose for data Science February 28, 2021
  • Can Java be used for machine learning and data science? February 28, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates