By abusing a little-known multicast protocol, attackers can launch DDoS attacks of immense power, but there may be an easy fix.
Content delivery provider Akamai reports that a new method of launching distributed denial of service (DDoS) attacks ranks as one of the most dangerous of all time.
This new method has already been seen in the wild, which is how Akamai gained an additional level of insight: A gaming industry Akamai client was recently hit with this new kind of attack.
The biggest concern that comes with this new attack is its ability to eat up immense amounts of bandwidth. The client Akamai mentioned saw peaks as high as 35 GB/s during their recent attack.
There’s a key multicast protocol that makes this new kind of DDoS possible: WS-Discovery (WSD).
WSD isn’t a well known protocol, but it is a widely used one, and can be found in thousands of internet-connected devices. WSD is a discovery protocol designed to make IoT devices communicate with a standard language, but it has a problem: It can be spoofed.
TechRepublic sister site ZDNet reported on WSD DDoS attacks at the end of August, giving a concise description of why this attack is so serious: “An attacker can send a UDP packet to a device’s WS-Discovery service with a forged return IP address. When the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of their DDoS attacks.”
The danger from WS-Discovery
ZDNet continued that WSD attacks aren’t common because of the obscurity of the protocol used to launch it, but this is changing. There has been an uptick in WSD attacks recently and with news about the protocol becoming public it’s likely the risk will only grow.
Akamai notes that WSD was never meant to be an internet-facing technology. Instead, it was meant for use on local area networks so devices could discover each other. Instead, Akamai said, manufacturers of internet-connected devices pushed them out with a misused protocol on them.
ZDNet said that more than 630,000 devices vulnerable to WSD attacks are discoverable on the internet, which give potential attackers a lot of amplification points.
How to stop a WS-Discovery attack
This attack is serious, but if Akamai is correct mitigating it may be simple. That said, if you think devices on your network are vulnerable be sure to follow these instructions: Eliminating attack vectors is only possible if everyone takes the right steps.
Here’s how simple the first part is: Just block UDP source port 3702.
That only covers your servers, though: There will still be traffic slamming your routers, which means you need to put an access control list (ACL) to your routers.
If you have a Cisco-style ACL:
ipv4 access-list [ACCESS-LIST NAME] 1 deny udp any eq 3702 host [TARGET IP]
ipv4 access-list [ACCESS-LIST NAME] 2 deny udp any host [TARGET IP] fragments
If you have a Linux iptables APL:
iptables -A INPUT -i [interface] -p udp -m udp —sport 3702 -j DROP
Akamai paints a grim picture of the future of WSD attacks: “The only thing we can do now is wait for devices that are meant to have a 10 to 15-year life to die out, and hope that they are replaced with more secured version.”
That doesn’t mean you can’t do anything: Take the proper precautions by blocking ports, adding ACLs, and installing critical updates that could mitigate future risks.