WS-Discovery protocol can be abused to launch massive DDoS attacks
Security researchers have found that attackers can abuse the Web Services Dynamic Discovery (WS-Discovery) protocol to launch massive distributed denial of service (DDoS) attacks.
During the recent month, multiple threat groups have started abusing the protocol, and WS-Discovery-based DDoS attacks have now become a weekly occurrence.
What is WS Discovery Protocol
WS-Discovery is a multicast protocol that can be used on local networks to "discover" other nearby devices that communicate via a particular protocol or interface.
This protocol is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets. This is the reason, it is also known as SOAP-over-UDP.
How WS Discovery Protocol is ideal for DDoS attacks?
It's an UDP-based protocol, meaning the packet destination can be spoofed. An attacker can send a UDP packet to a device's WS-Discovery service with a forged return IP address. When the device sends back a reply, it will send it to the forged IP address, allowing attackers to bounce traffic on WS-Discovery devices, and aim it at the desired target of their DDoS attacks.
WS-Discovery response is more times greater than the initial input. This allows attackers to send an initial packet to a WS-Discover device, which bounces the response to a DDoS attack victim at multiple times its initial size.
There are some DDoS mitigation solutions are available in the market which can protect your network/device from future DDoS attacks.
You can also get in touch with us, we can help to protect your organization from future cyber attacks.