Massive Gaming DDoS Exploits Widespread Technology

The attack — the 4th-largest the company has ever encountered — leveraged WS-Discovery, which is found “everywhere.”


Akamai Wednesday revealed that it’s witnessed the fourth-largest DDoS attack the company has ever encountered, leveraging a widespread and highly exploitable UDP amplification technique known as WS-Discovery (WSD).

WSD—a consumer device network discovery and connectivity technology—was seen targeting one of Akamai’s customers in the gaming industry, according to a blog post attributed to Akamai Security Intelligence Response Team Engineer Jonathan Respeto.

Attacks targeting networks using this method are critical for two key reasons, researchers said. One is that it allows for high-volume attacks, with amplification rates of up to 15,300 percent of the original byte size.

WSD has probes that are used by machines on a LAN to help them discover and configure devices and services. For instance, WSD is how a modern Windows machine automatically finds and configures networked printers. Attackers can use WSD for bad intent by triggering an XML error response from WSD — which can be done by sending a 29-byte malformed payload, according to Akamai.

“In some cases, an 18 byte payload can be used. The 18 byte probe is 43 percent smaller than the default and 900 percent smaller than the minimal valid probe,” according to the blog post. “While the response it triggers is also smaller, it still packs a massive amplification ratio.”

With overflow padding techniques, it’s possible to pad the error response to 2,762 bytes, which results in an amplification factor of 15,300 percent, according to Akamai.

“Multiple threat actors have begun to leverage this DDoS method to ramp up their attacks,” Respeto wrote.

However, the other reason companies have cause for worry is that WSD is a fairly ubiquitous technology — found in everything from HP printers since 2008 to Microsoft Windows OSes since Vista to myriad IoT devices. Indeed, a recent report estimated that about 630,000 devices use WSD, leaving plenty of targets at risk.

Moreover, WSD is easily exploited due to poor implementation because — like many LAN-centric technologies that were born before the era of constant connectivity — WSD was “never meant to live on the internet,” Respeto wrote.

“As manufacturers pushed out hardware with this service (improperly) implemented, and users deployed this hardware across the internet, they’ve inadvertently introduced a new DDoS reflection vector that has already begun to see abuse,” he wrote.

Indeed, while WSD attacks have a high-impact effect, it actually doesn’t take much for attackers to leverage the technique, Respeto warned.

“Since UDP is a stateless protocol, requests to the WSD service can be spoofed,” he wrote in the post. “This ultimately causes the impacted server, or service, to send responses to the intended victim, consuming large amounts of the target’s bandwidth.”

This situation is a very common DDoS approach, Akamai told Threatpost, which has been observed leading to severe consequences such as those seen with the infamous 2016 cyberattack on DNS provider Dyn, which targeted a number of high-profile Dyn clients, including Twitter, Spotify and GitHub, taking swathes of the internet offline.

With bad actors and organizations alike now aware of how WSD can be used to launch DDoS attacks on an unprecedented scale, the question remains what organizations can do to prevent these attacks.

According to Akamai’s Respeto, the answer is: not much. “The only thing we can do now is wait for devices that are meant to have a 10- to 15-year life to die out, and hope that they are replaced with [a] more secured version,” he wrote.

In the meantime, with the threat of such attacks looming, Akamai recommends organizations be ready to route traffic to their DDoS mitigation provider in case they’re hit with a WSD-based DDoS attack, the likelihood of which is on the rise.

“We expect that attackers will waste little time in leveraging WSD for use as a reflection vector,” Respeto wrote.

UPDATE 11:29 a.m. ET: This post previously stated that Akamai researchers said that WSD is the technology exploited in Dyn attack. Threatpost reached out to Akamai to clarify the role of WSD in the Dyn attack and has updated the post accordingly.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.


Suggested articles