Protocol used by 630,000 devices can be abused for devastating DDoS attacks
A relatively unknown UDP protocol puts around 630,000 Internet-connected devices at risk of disruptive DDoS attacks, security researchers warn. The vulnerable Web Services Dynamic Discovery (WS-DD, WSD, or WS-Discovery) protocol is used for device discovery in solutions by companies like Axis, Sony, Bosch that follow ONVIF standards.
The protocol can be abused by threat actors to carry out DDoS attacks due to a combination of flaws. A first issue is that because WSD is a UDP protocol, attackers can spoof the return address in packets sent to a device’s WS-Discovery service, meaning that if threat actors sent traffic to a WSD device, they can trick it into sending replies to their requests to the address of a third-party device they want to overwhelm with traffic. In addition, the WSD responses are far larger than the initial requests, which allows attackers to amplify the traffic they bounce off a WS-Discovery device, thereby making powerful DDoS attacks a possibility.
Companies can protect themselves against WSD attacks by blocking incoming traffic targeting port 3702, which is the default WS-Discovery port.