September 20, 2019 at
On Wednesday, researchers at the Akamai
company unveiled what is believed to be the fourth most prominent DDoS
(Distributed Denial of Service) attack that it has ever discovered, via the
dreaded WSD (WS Discovery) exploit through the UDP protocol.
WSD is a connectivity technology found on
consumer devices of several kinds. As it turns out, and per information
provided by Akamai Security Intelligence Response Team Engineer Jonathan
Respeto, it targeted an Akamai client in the gaming world.
Investigators and specialists on the matter
explained that any offense that targets networks while taking advantage of the
WDS vulnerability could be devastating, as it could reach amplification rates
of more than 15,000 percent of its initial byte size.
The WS Discovery
WS Discovery’s probes are often implemented by
machines present on a LAN as a resource to discover and configure specific
services and devices. For example, if you have ever wondered how does a Windows
computer to spot and set up a printer connected to a network, it is through the
However, the WSD is prone to be used by attackers for malicious objectives, because it triggers an XML error response from WSD. This can be achieved if the cybercriminals or bad actor sends a 29-byte malformed payload, per the Akamai report.
The publication stresses that sometimes, all
that is needed is an 18-byte payload, which has a probe that is 43% smaller
than the regular one and 900% smaller than the minimum one that is considered
valid. Granted, it would trigger a smaller reply, but it also comes with a huge
amplification ratio that is just as dangerous.
Akamai explains that using a padding overflow approach would pad the error response to 2,762 bytes, enough to multiply the amplification factor and take it to 15,300 percent. Respeto said that several hackers have started leveraging the WSD to power up their DDoS attacks.
An Omnipresent Threat
Yet, the real factor that makes the WSD so
dangerous and hard to stop is that the technology behind it is omnipresent and
can be found in lots of internet-connected devices, operating systems, HP
printers, and other appliances. Recently, it was reported that more than
600,000 devices use the technology, which means that a broad universe of
machines could be threatened by a potential DDoS attack.
Another cause for concern is that it is very
easy to exploit the WSD by poor implementation before WSD wasn’t originally
destined to hit the web. In fact, it was born prior to the digital,
Companies started to manufacture hardware with
the poorly implemented service, but what anybody was counting on was the fact
that users, after acquiring the appliances and devices, were going to deploy
them all around the web. Without knowing it, they introduced a new threat in
the form of a DDoS reflection vector, according to Respeto.
Respeto kept on warning the Internet community, saying that WSD-leveraged attacks can be devastating and the hackers don’t require much in terms of resources to perpetrate an offensive towards an entity.
A Stateless Protocol
A targeted victim can see its bandwidth abused
by a WSD-centered attack because requests to the WSD service are able to be
spoofed, given that UDP is a stateless protocol. If spoofed, the affected
server will send replies that will collapse the whole system.
Although the WSD-related vulnerability has
existed for quite some time, now hackers and cybercriminals around the world
are aware of the fact that they can leverage the technology to perform
large-scale DDoS attacks.
The scariest part is that companies can’t do
much to avoid the situation: per Respeto, they can only patiently wait for
vulnerable devices that have a lifespan of 10 to 15 years to slowly disappear
and hope that the next batch that replaces them is safer.