A Look Into WS-Discovery Reflection Attacks for 2020 Q1

A Look Into WS-Discovery Reflection Attacks for 2020 Q1

May 5, 2020 | Adeline Zhang

Executive Summary

Web Services Dynamic Discovery (WSD) is a multicast discovery protocol to locate services on a local area network (LAN). However, due to device vendors’ design flaw in the implementation, when a normal IP address sends a service discovery packet, devices will also respond to the request. If exposed on the Internet, these devices will be possibly exploited for DDoS reflection attacks. WSD-based reflection attacks were first disclosed by security researchers from Baidu in February 2019. Since the second half of 2019, this kind of attack has grown steadily. In its report[i], A10 Networks placed WSD in the third place on the list of reflection attack vectors in terms of quantity. According to the ranking results, the WSD protocol is next only to SNMP and SSDP, overtaking TFTP and DNS Resolver. We made an in-depth analysis of WSD reflection attacks in 2019[ii]. In view of the great damages incurred by this kind of attack, in this report, we update the exposure quantity and threat data of WSD and add the DDoS alert analysis by Cloud DPS to keep you informed about these attacks.

In brief, we have the following key findings:

  • Around the world, about 800,000 IP addresses (87.7%, or approximately 700,000, were video surveillance devices) provided the WSD service and were thus at risk of being exploited to launch DDoS attacks.
  • The top 5 countries with the most WSD-enabled devices were China, South Korea, Vietnam, Brazil, and the USA. Among these five countries, Vietnam was home to most video surveillance devices that had the WSD service publicly available.
  • Though almost a million IP addresses had the WSD service enabled, not many were actually involved in DDoS attacks. This is because most of IP addresses do not respond to short attack payloads. In last year’s report, we mentioned that only less than 30,000 IP addresses responded to three-byte attack payloads.
  • We made an analysis of DDoS alert logs from the dimensions of attack incident, source IP address, and victim and found that there was no obvious fluctuation in the victim quantity in 2020 Q1. Besides, we observed that compared with the first two months, March saw a dramatic increase in WSD-enabled IP addresses that were used for launching reflection attacks, with the highest record of 19,000 IP addresses in a single day.
  • According to data from Cloud DPS, a total of 13 countries suffered DDoS attacks and Brazil, with 41% of total victim IP addresses, was the most targeted.
  • In addition to reflection attacks, WSD-enabled IP addresses were also seen in many other types of DDoS attack. This somewhat suggests that devices with the WSD service enabled may contain other vulnerabilities that can be exploited to turn the devices into nodes of a botnet.
  • When conducting a WSD reflection attack, the perpetrator usually does not use legitimate service discovery packets as attack payloads, but attempts to craft very short payloads to attack the target. According to our last year’s report, most attack payloads contained three bytes, registered in two thirds of attack log messages. This year, however, witnessed a diversity of attack payloads, with five-byte attack payloads (27%) overtaking the three-byte ones (22.0%, second spot) as the most frequently used payloads.

1 Exposure of the WSD Service

Based on the complete data of the survey conducted by NSFOCUS Threat Intelligence (NTI) in March 2020, we made an analysis of the exposure of the WSD service.

Around the world, about 800,000 IP addresses (87.7% (or approximately 700,000) were video surveillance devices) provided the WSD service and were thus at risk of being exploited to launch DDoS attacks.

Compared with the data (in July 2019) in our last year’s report, the number of WSD-enabled IP addresses decreased by 110,000. As shown in Figure 1-1[1], video surveillance devices still took a dominant place and deserved our special attention.

Figure 1-1 Distribution of device types with the WSD service enabled

The top 5 countries with the most WSD-enabled devices were China, South Korea, Vietnam, Brazil, and the USA. Among these five countries, Vietnam had the most video surveillance devices that had the WSD service publicly available.

Here, we focus on top 15 countries with the most devices exposed, as shown in Figure 1-2. We found that 13 countries registered a decline (of several thousand or tens of thousands) in the exposure quantity, while South Korea and Iran saw more exposed devices, as compared with last year. The top 5 countries remained unchanged from the previous year, except that Source Korea rose from the fifth to second place. Figure 1-2 shows the global distribution of video surveillance devices with the WSD service publicly accessible. It can be seen that top 5 countries included China, South Korea, Vietnam, Brazil, and the USA.

Figure 1-2 Global distribution of WSD-enabled devices

Figure 1-3 Global distribution of WSD-enabled video surveillance devices

2 Analysis of WSD Reflection Attacks

In last year’s report, we analyzed the trend of WSD attacks based on the data from NSFOCUS’s threat hunting system. In this report, however, we use DDoS alert data in the Cloud DPS for analysis of the WSD attack trend which better aligns with the real global DDoS attack trend. In addition, we dissect changes to attack methods by reference to the alert data.

As WSD reflection attacks feature reply packets with random source ports, it is a tricky thing to identify this kind of attack. For this reason, we deduplicated NTI’s IP address data of five rounds of global scanning in the first quarter and analyzed WSD-enabled IP addresses (1,930,000) on the basis of such data. After that, we associated these IP addresses with the source IP addresses indicated in DDoS alerts to identify logs of WSD reflection attacks. Though devices’ IP addresses may vary from time to time, if an IP address is involved in DDoS attacks and identified having the WSD service enabled in the asset library, we deem that this IP address is highly likely to be used for WSD attacks. Also, we proved the rationality of this assumption by demonstrating the types of DDoS attacks that involved such IP addresses.

A total of 56,000[2] source IP addresses were indicated in DDoS alert logs, making up 2.9% of all IP addresses that had the WSD service publicly accessible. Obviously, though nearly a million IP addresses (based on data for a single round of global scanning) had the WSD service enabled, not many played a part in DDoS attacks. In last year’s report, we mentioned that attackers tended to launch DDoS attacks with three-byte payloads. Actually, only around 30,000 WSD services responded to these payloads. For DDoS attackers, these IP addresses are high-value WSD assets.

As shown in Figure 2-1, we analyzed the attack alert trend that shows a sharp increase of attack incidents[3] in March. Also, we counted source IP addresses seen in attack logs. As shown in Figure 2-2, March witnessed a surge in IP addresses used for WSD attacks, with the peak figure hitting 19,000 in a single day, as compared with the first two months when there were dozens of or hundreds of IP addresses engaging in WSD attacks each day. Apart from that, we analyzed the quantity trend of victims. Figure 2-3 shows that there was no apparent change in the number of victims. This reveals that attackers substantially increased WSD attacks against a stable quantity of victims.

Figure 2-1 Attack incident trend observed from alert logs

Figure 2-2 Quantity trend of source IP addresses indicated in alert logs

Figure 2-3 Quantity trend of victims indicated in alert logs

Figure 2-4 shows the global distribution of victims. It can be seen that a total of 13 countries[4] suffered attacks and Brazil, home to 41% of victim IP addresses, was the worst hit one.

Figure 2-4 Global distribution of victims indicated in alert logs

Figure 2-5 shows the global distribution of source IP addresses indicated in alert logs. This geographic distribution was nearly identical with that (Figure 1-2) of WSD-enabled devices, with most countries appearing in both distribution graphs. China, Vietnam, and South Africa had the most IP addresses that took part in DDoS attacks.

Figure 2-5 Global distribution of source IP addresses indicated in alert logs

Figure 2-6 shows the distribution of attack types indicated in alert logs. We found 56,000 IP addresses in alert logs and discovered that at least 77.7% of those addresses played a part in UDP reflection attacks. For attack types such as TRAFFIC Abnormal that are not easy to identify due to the ever-changing source port of reflection packets, we inferred that these attacks might well be reflection attacks. It should be noted that one IP address was likely to have a hand in more than one type of DDoS attacks. From Figure 2-6, we can see that other types of attack were far less active than UDP Flood and TRAFFIC Abnormal. This indicates that our data selection logic is trustworthy and our analysis based on this logic can reveal the actual trend of WSD reflection attacks. The occurrence of various attacks implies, to some extent, that WSD devices may contain other vulnerabilities that could reduce them to nodes of a botnet. This finding deserves our special attention.

Figure 2-6 Distribution of attack types indicated in alert logs

Figure 2-7 shows the distribution of WSD reflection attack payloads captured by NSFOCUS’s threat hunting system. Compared with the previous year, the year 2020 saw a variety of payloads. Besides, variants, i.e., payload3A and payload3B, emerged for payload3 (corresponding to payload3A in Figure 2-7) indicated in 2019 report. The difference of the two variants lies in the second byte which is “:” (0x3A in hexadecimal format) for payload3A, but a special character (0xAA in hexadecimal format) for payload3B.

According to our reports, Payload3A was the top payload with a percentage of 67.2% in 2019, but took the second spot with a percentage of 22.0% in 2020.

Figure 2-7 Distribution of WSD reflection attack payloads captured by NSFOCUS’s threat hunting system

3 Sum-up

We delved into WSD attacks in last year’s reportii. Here, we focus on the WSD exposure on the Internet and the resulting threats by reference to the data provided by Cloud DPS. At last, we give an analysis of attack methods used by perpetrators, with the support of data collected by NSFOCUS’s threat hunting system.

Security vendors are advised to:

  • Add the WSD scanning capability in scanning products to promptly discover security hazards in customers’ networks.
  • Add the WSD traffic detection capability in protection products to promptly discover security threats in customers’ networks. As devices may respond to WSD request packets with other source ports than port 3702, to counter a WSD reflection attack, it is necessary to detect packet signatures besides configuring a traffic control policy to block traffic from these ports. Associating with threat intelligence concerning IP addresses that use the WSD service is an alternative. In this way, packets with matching source IP addresses can be blocked.

Device vendors should design their products in such a way as to check whether WSD request packets are from multicast source IP addresses and, if not, ignore such packets. This will make it extremely difficult to exploit the WSD and SSDP services for launching reflection attacks.

The telecommunication operators should follow the BCP38 Network Ingress Filtering standard.

Watchdogs are advised to:

  • Monitor WSD-related threats in networks and make them known to the public once discovering any.
  • Promote security assessment of the WSD functionality in devices and forbid non-compliant devices to be sold on the market.

Device users are advised to:

  • Disable the WSD functionality if that is unnecessary.
  • Deploy WSD-enabled devices on LANs to maximize the difficulty of exploiting these devices.
  • If WSD-enabled devices have to be deployed on the Internet, deploy routers (NAT functionality required) or protective security devices (such as firewalls) before devices to control external access to devices.

Customers with the need of DDoS protection should purchase anti-DDoS products from security vendors that are capable of defending against WSD reflection attacks. If existing products support customization of application-layer signatures, it is advisable to add signature-based rules in addition to blocking source port 3702.

[1]Note: Only 162 projectors had the WSD service enabled, making up 0.0% of the total.

[2] The figure is based on deduplicated IP address data of five rounds of scanning.

[3] All persistent attacks against the same source IP address in a certain period of time add up to an attack incident.

[4] DDoS alert data is sourced from Cloud DPS, with domestic data excluded.

[i] The State of DDoS Weapons, Q4 2019, https://www.a10networks.com/marketing-comms/reports/state-ddos-weapons/

[ii] An Anatomy of WS-Discovery Reflection, https://nsfocusglobal.com/an-anatomy-of-ws-discovery-reflection/