DDoS attack exploiting WSD reported by Akamai
- Akamai has reported that a DDoS attack was targeted at one of its customers in the gaming industry.
- This attack leveraged a UDP amplification technique known called WS-Discovery (WSD).
The attack generated 35GB junk traffic per second and is the fourth largest DDoS attack the company has seen in terms of the highest reflected amplification factor.
The big picture
Web Services Dynamic Discovery (WSD) allows network devices to send user datagram protocol packets, and also receive and respond to them.
- WSD operates over TCP and UDP port 3702 and is found in many internet-connected devices.
- It can be spoofed by sending a UDP packet with a forged return IP address. The response will be sent to the forged IP address and this allows hackers to aim the traffic to DDoS targets.
- The goal of amplification attacks is to send small amounts of data to trigger a large response. Responses are known to be amplified by 7 to 153 times in IoT devices, especially improperly designed ones, making WSD a popular protocol to exploit during DDoS attacks.
Jonathan Respeto in the Akamai blog says that WSD was designed to be a LAN-scoped technology, and not meant to survive on the internet.
Systems can leak internal IP address and model number when sending a valid XML request which can be leveraged to look for known exploits.
- 802,115 devices were observed to respond to a scan with a request size of 783 bytes by the research team at Akamai.
- The median response size was 1517 bytes which indicated a 193% amplification.
- Researchers were also able to amplify the responses from nearly 2,000 devices from an undisclosed manufacturer, by a factor of 153.
Akamai says that placing blocks on the UDP port 3702 can help to prevent such attacks, but that won’t make the problem go away. This is because traffic congests bandwidth on routers as well. DDoS mitigation providers can help in blocking the attack traffic.
“Everyone is a potential target for WSD attacks, so organizations should be ready to route traffic to their DDoS mitigation provider if they're hit with this large attack. Due to its large amplification factors, we expect that attackers will waste little time in leveraging WSD for use as a reflection vector,” reads the Akamai blog.