A recently discovered distributed denial of service technique that abuses the Web Services Dynamic Discovery specification is being executed in the wild by multiple threat actors to amplify the effects of their attacks, researchers have warned.
The technique is a User Datagram Protocol (UDP) Amplification technique that involves spoofing requests to the WS-Discovery service. WS-Discovery is a specification designed to facilitate the discovery and connectivity of devices and services on a local network.
A spoofing attack leveraging this protocol causes a targeted internet-based server to send an overwhelming number of responses, using up its bandwidth, explains researchers at Akamai Technologies in a blog post yesterday. Akamai recently detected such an attack against one of its own clients in the gaming industry, states blog author Jonathan Respeto, security intelligence response team engineer at Akamai.
Akamai’s SIRT team has determined that WS-Discovery DDoS attacks can generate amplification rates reaching 15,300 percent of the original byte site, giving it the fourth highest reflected amplification factor among all varieties of DDoS attacks. The attack against the gaming company reached a peak bandwidth of 35/Gbps, Respeto notes.
WS-Discovery’s role in DDoS attacks was originally disclosed back in August by ZDNet, which at the time reported that in-the-wild attacks exploiting this vector have been taking place as far back as May 2019. Citing internet search engine BinaryEdge, the report at the time said that almost 630,000 devices were confirmed to support the protocol and were therefore vulnerable. Susceptible devices include IP cameras, home appliances, printers, CCTV systems and DVRs, according to the ZDNet and Akamai reports.