Protocol used by 630,000 devices can be abused for devastating DDoS attacks


Level 56
Content Creator
Dec 30, 2012
Security researchers are sounding the alarm about the Web Services Dynamic Discovery (WS-DD, WSD, or WS-Discovery) protocol, which they say can be abused to launch pretty massive DDoS attacks.
ZDNet first learned that this protocol was being used to launch DDoS attacks back in May, but we decided not to publish anything about it, to avoid bringing unnecessary attention to a protocol that was ripe for abuse but was still flying under the radar.
However, during the recent month, multiple threat groups have started abusing the protocol, and WS-Discovery-based DDoS attacks have now become a weekly occurrence.
WS-Discovery is a multicast protocol that can be used on local networks to "discover" other nearby devices that communicate via a particular protocol or interface.
Most notably, the protocol is used to support inter-device discovery and communications via the SOAP messaging format, using UDP packets -- hence why it's sometimes referred to as SOAP-over-UDP.
WS-Discovery is not a common or well-known protocol, but it's been adopted by ONVIF, an industry group that promotes standardized interfaces for interoperability of networked products.
ONVIF members include Axis, Sony, Bosch, and others, who use ONVIF standards as the basis for their products. Since the mid-2010s, the group's standard has recommended the WS-Discovery protocol for device discovery as part of plug-and-play interoperability [page 9].
As part of this sustained standardization effort, the protocol has made it into a slew of products that include anything from IP cameras to printers, and from home appliances to DVRs. Currently, according to internet search engine BinaryEdge, there are now nearly 630,000 ONVIF-based devices that support the WS-Discovery protocol and are ripe for abuse.