WSD DDoS Vector In The Wild

Well, that didn’t take long for attackers to start exploiting the new WSD attack vector against our gaming and business clients. It was only recently published in an article by Akami and as of this morning (22/09/2019) been seen and mitigated by our Corero devices in Los Angeles, Sydney & Singapore. This blog post won’t go into the technical details on the attack, the article by Akamai will provide a good insight into that.

What is WSD?

Web Services for Devices (WSD) is a Microsoft API to enable programming connections to web service enabled devices, such as printers, scanners and file shares. This communicates over source port 3702 and until recently hasn’t been seen under active exploitation for use in DDoS attacks.

Why are attackers using WSD?

In short, it’s due to the amplification possibilities of WSD, the vector has been noted to be the 4th highest amplification method at (15,300%), trailing closely behind more traditional methods (DNS, NTP & LDAP).

What is Streamline Servers doing about it?

We already developed and released a flex rule to cover the new WSD vector when we were first alerted to it. This morning’s events were detected and mitigated using the new rule and saw no issue to the client’s services targeted.

WSD Attack Size

While this mornings event was only small in the grand scheme of DDoS, peaking at 3.8Gbit/s and 580,000PPS it shows the vector is now fully in the wild and we expect to see more of the attack.

WSD Attack Vector reported by Corero Mitigation Devices

 

WSD Attack Vector Size

 

If you would like to talk to our team about DDoS mitigation or services, please don't hesitate to reach out via our live chat.


Submitted at 22/09/2019, 14:33pm

Updated: at 22/09/2019, 14:38pm

Been read 2375 times

What People wrote...