Yes, early detection is possible through vigilant monitoring of network traffic and recognizing unusual patterns indicative of a potential flood.
A WS-Discovery flood attack is a DDoS reflection attack that uses the WS-Discovery protocol to significantly amplify the strength of the attack. Attackers launch WS-Discovery floods to overwhelm servers, websites, networks, or other machines with traffic, to the point where they slow down or crash. Amplification techniques like those used in WS-Discovery floods enable attackers to generate massive attacks with little effort and few resources.
What is the meaning of the term DDoS attack?
A distributed denial-of-service (DDoS) attack is a cyberattack in which hackers take control of thousands or millions of malware-infected machines, like computers or IoT devices, and direct them to send traffic and requests to a target or victim — usually a server. In trying to respond to or make sense of the massive amount of requests, the targeted server becomes overwhelmed, and slows down or crashes. As a result, a DDoS attack can shut down websites, networks, and organizations for a period of time.
What is a DDoS reflection attack?
In a reflection attack, attackers spoof destination IP addresses, using the IP address of the intended victim or targeted server when querying another server by sending packet requests. When the queried system responds to the packet request, responses go to the victim’s machines rather than to the attackers. This technique enables DDoS traffic to be “reflected” through other machines, rather than sending traffic directly to a target.
To amplify their efforts, attackers seek to reflect traffic off of machines that deliver a much larger response than the initial request. In these amplification attacks, attackers can use a relatively small number of initial packets and expend few resources to generate massive amounts of traffic that contains large amounts of data, overwhelming the targeted machines more quickly and easily.
What is WS-Discovery?
Web Services Dynamic Discovery (WS-Discovery or WSD) is a multicast communications protocol designed for device discovery on local networks. WS-Discovery uses the User Datagram Protocol (UDP), one of the core transport protocols for internet communications, but can also leverage the Transmission Control Protocol (TCP). WSD-enabled devices — like IP cameras, DVRs, speakers, etc. — emit beacons to facilitate discovery and connections between devices. For example, a DVR may use the WSD protocol to discover nearby IP cameras it can communicate with. While it is not a broadly known protocol, WS-Discovery has been adopted by ONVIF, an organization that promotes standardized interfaces to increase the interoperability of network products. As a result, the WSD protocol is now included in hundreds of thousands of products worldwide.
The WSD protocol was initially intended to be limited to local area networks (LANs). As manufacturers produced hardware incorporating the WSD service and users deployed the hardware across the internet, attackers found a new attack vector for DDoS reflection.
How does a WS-Discovery flood work?
A WS-Discovery reflection DDoS attack exploits a vulnerability in the UDP/TCP protocol. Because UDP is a stateless protocol, it is easy for attackers to spoof or forge an IP address when sending requests to other devices. This allows attackers to direct massive amounts of traffic from WS-Discovery devices to the target of their DDoS attacks. Although TCP is a connection- or stateful-oriented protocol, it can still be leveraged as part of IP spoofing and WSD attacks.
What makes a WS-Discovery flood attack so potent is that the WSD response is so much larger than the initial request. Small initial packets sent to a WS-Discovery device may generate responses that are 75–150 times larger. Several attacks have even exhibited amplification rates of 300 and 500 times. This is significantly larger than other UDP protocol attacks that tend to have an average amplification factor of 10.
WS-Discovery flood DDoS attacks are also difficult to identify. The protocol responds with random high ports and unique data payloads that make it difficult to recognize and mitigate the attack. Also, due to the size of the amplification and reflection, by the time the attack targets origin systems or services, your uplinks to the internet are already saturated, and you lose the ability to detect and mitigate.
Frequently Asked Questions (FAQ)
Security teams may implement a variety of protections to defend against a WS-Discovery reflection attack.
- Blocking traffic on UDP port 3702. Security teams can block UDP source port 3702 on their gateway devices and firewalls to prevent WSD traffic. However, because this approach will not prevent traffic from consuming the bandwidth of routers, additional cloud mitigation approaches are recommended.
- IP filtering. Security teams may deploy IP filtering technology to reject requests from non-permitted IP addresses.
- DDoS mitigation services. Deploying cloud DDoS mitigation services from a leading cybersecurity service provider like Akamai is one of the most effective ways to block DDoS and amplification attacks.
WS-Discovery floods, while not daily occurrences, are significant enough to warrant attention. Understanding their frequency helps in devising proactive strategies for network security.
While no network is entirely immune, proactive security measures significantly reduce contributing to the vulnerability of WS-Discovery floods.
The risks associated with WS-Discovery floods range from network disruptions to other multi-vector attacks that lead to potential data breaches, making them a significant security concern.
Why customers choose Akamai
Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.