11 votes

New DDoS vector observed in the wild leveraging WS-Discovery for amplification, attacks hitting 35 Gbps

Tags: security, ddos, iot

3 comments

  1. [3]
    asoftbird
    Link
    Can l get a layman's translation of this? 35 Gb/s sounds bad but l have no idea what the rest of the article means.

    Can l get a layman's translation of this? 35 Gb/s sounds bad but l have no idea what the rest of the article means.

    3 votes
    1. [2]
      Deimos
      (edited )
      Link Parent
      Might not be fully correct, but my understanding of it: WS-Discovery (WSD) is a protocol that's supposed to be used for discovering devices on a local network. So for example, you might buy some...

      Might not be fully correct, but my understanding of it:

      WS-Discovery (WSD) is a protocol that's supposed to be used for discovering devices on a local network. So for example, you might buy some security cameras that can use it to discover each other on your network, even if they're from different companies. The most important part is that it was supposed to be restricted to local networks and not work over the internet, but a lot of manufacturers have implemented it wrong, and made it so the devices will respond to it over the internet.

      WSD is a protocol that uses UDP, and UDP is stateless and enables you to be able to spoof the destination of the response. So for example, I might be sending a legitimate WSD request that's something like, "Hey, are you a camera? Respond back to Deimos". But with spoofing, I can say "Hey, are you a camera? Respond back to asoftbird." and the device will just believe me and send its reply to you instead of me. Of course, you're not expecting that response because you didn't ask for it, so you'll just discard it.

      The real problem is that the responses are much larger than the requests, which is the "amplification" aspect. In the post, they explain a few different methods of modifying the requests for different responses, but the "average" scenario they talk about is being able to send a request that's 29 bytes and getting back a response that's about 2599 bytes. That means that the response is 89 times the size of the request.

      So now, if I want to DoS something, let's say that I only have an internet connection with 10 Mbps upstream bandwidth. If I max it out and send a constant 10 Mbps of traffic toward some site, they... probably won't even notice. 10 Mbps is practically nothing. However, I can instead use that 10 Mbps to send out thousands of WSD requests to different cameras/etc. attached to the internet and tell them "Respond back to <site's IP address>". They'll do that, and send responses 89x the size of the requests I'm sending, so now my 10 Mbps of bandwidth has turned into 890 Mbps of traffic being sent to the site. That's way harder to deal with, and if I have higher bandwidth or multiple machines/connections to send the requests from, I can amplify it all by that amount.

      8 votes
      1. asoftbird
        Link Parent
        Very clear, thanks. IoT security seems to be a huge issue. I'm a product designer by trade and security usually is an afterthought, and even then it's probably "put some generic password on it" at...

        Very clear, thanks. IoT security seems to be a huge issue. I'm a product designer by trade and security usually is an afterthought, and even then it's probably "put some generic password on it" at most.

        1 vote