Some thoughts about WS-Discovery DDoS attacks
Security researchers from Akamai published interesting details about the Web Services Dynamic Discovery (WS-Discovery) protocol, which they say can be abused to launch massive DDoS attacks.
What is WS-Discovery?
WS-Discovery is a multicast protocol that can be used on local networks to "discover" other nearby devices: is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets -- hence why it's sometimes referred to as SOAP-over-UDP.
WS-Discovery is a protocol adopted by ONVIF (an industry group that promotes standardized interfaces for interoperability of networked products): ONVIF members include Axis, Sony, Bosch, and others, and since the mid-2010s, the WS-Discovery is the recommended protocol for device discovery as part of plug-and-play interoperability.
Currently, according to a search on BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol accessible from internet.
Why a WS-Discovery-based DDos is so dangerous?
WS-Discover is an UDP-based protocol, so the packet destination can be spoofed: an attacker can send a UDP packet to a device's WS-Discovery service with a forged return IP address, and when the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of the DDoS attacks.
Furthermore, the WS-Discovery response is many times larger than the initial input, and this allows attackers to send an initial packet to a WS-Discover device, which bounces the response to the attack victim with a great amplification factor, allowing attackers to launch massive DDoS attacks with limited resources.
According to this analysis by ZeroBS GmbH, common amplification factor was a normal one of up to 10: in the case of WS-Discovery, the protocol has been observed in real-world DDoS attacks with amplification factors of up to 300, and even 500.
How to stop a WS-Discovery attack?
According with this post on Akamai's Blog, "placing blocks on the UDP source port 3702 will prevent the traffic from hitting your servers":
Cisco style ACLs
ipv4 access-list [ACCESS-LIST NAME] 1 deny udp any eq 3702 host [TARGET IP]
ipv4 access-list [ACCESS-LIST NAME] 2 deny udp any host [TARGET IP] fragments
Linux iptables ACL
iptables -A INPUT -i [interface] -p udp -m udp --sport 3702 -j DROP