The Web Services Dynamic Discovery (WS-Discovery) protocol could be exploited to launch large-scale DDoS attacks, security researchers are reporting.
What is the WS-Discovery protocol?
The WS-Discovery protocol is described as a technical specification that defines a multicast discovery protocol to locate services on a local network. It operates over TCP and UDP port 3702 and uses IP multicast address 18.104.22.168. The communication between nodes is done using web services standards, such as SOAP-over-UDP.
Even though the protocol is neither that common nor that popular, it has been adopted by ONVIF, an “open industry forum that provides and promotes standardized interfaces for effective interoperability of IP-based physical security products”. Among ONVIF members are large companies such as Sony, Bosch, and Axis, who utilize ONVIF standards in their products.
630,000 ONVIF-based devices running the WS-Discovery protocol at risk
Furthermore, ONVIF has recommended the WS-Discovery protocol for device discovery. Long story short, the protocol has been used in a series of products, including IP cameras, printers, and various home appliances. To be more precise, a Binary Edge search reveals that there are approximately 630,000 ONVIF-based devices running the WS-Discovery protocol.
There is evidence that the protocol is now being exploited by threat actors for DDoS attacks, ZDNet reported. It is not the first wave of such attacks as researchers detected malicious activities back in May. The current attacks are not that large as well, with a maximum of 40 Gbps and amplification factors of up to 10, but the potential attack surface is alarming.
The large number of devices currently exposing the WS-Discovery port 3702 on the internet will definitely trigger a new wave of mass-scale attacks, researchers warned.