Clever New DDoS Attack Gets a Lot of Bang for a Hacker’s Buck
Credit to Author: Lily Hay Newman| Date: Wed, 18 Sep 2019 13:00:00 +0000
By exploiting the WS-Discovery protocol, a new breed of DDoS attack can get a huge rate of return.
One of the trickiest things about stopping DDoS attacks is that hackers constantly develop new variations on familiar themes. Take a recent strike against an unnamed gaming company, which used an amplification technique to turn a relatively tiny jab into a digital haymaker.
On Wednesday, researchers from Akamai's DDoS mitigation service Prolexic detailed a 35 gigabit per second attack against one of its clients at the end of August. Compared to the most powerful DDoS attacks ever recorded, which have topped 1 terabit per second, that might not sound like a lot. But the attackers used a relatively new technique—one that can potentially yield a more than 15,000 percent rate of return on the junk data it spews at a victim.
The new type of attack feeds on vulnerabilities in the implementation of the Web Services Dynamic Discovery protocol. WS-Discovery lets devices on the same network communicate, and can direct them all to ping one location or address with details about themselves. It's meant to be used internally on local access networks, not the rollicking chaos monster that is the public internet. But Akamai estimates that as many as 800,000 devices exposed on the internet can receive WS-Discovery commands. Which means that by sending "probes," a kind of roll-call request, you can generate and direct a firehose of data at targets.
"There's a huge pool of vulnerable devices sitting out there waiting to be abused."
Chad Seaman, Akamai
Attackers can manipulate WS-Discovery by sending these specially crafted malicious protocol requests to vulnerable devices like CCTV cameras and DVRs. And because WS-Discovery is built on a network communication protocol known as User Datagram Protocol, the probes can spoof their IP address to make it look like the request came from a target's network. It's a bait and switch; the devices that receive the commands will send their unwanted replies to the DDoS target instead of the attacker.
"It’s like somebody sitting over here to your left and they reach behind your back, smack the guy on your right side in the head, and then he looks over at you and you look at him and he clocks you in the face, because he thought you were the person that hit him," says Chad Seaman, senior engineer on Akamai's security intelligence response team. "This is a really classic reflection attack. And there's a huge pool of vulnerable devices sitting out there waiting to be abused."
By implementing WS-Discovery without protections on devices that will be exposed to the public internet, manufacturers have inadvertently built a population of devices that can be abused to generate DDoS attacks.
"DDoS attacks abusing the WS-Discovery protocol have increased," says security researcher Troy Mursch. "The notable thing here is the amount of vulnerable hosts that can be abused and the large amplification factor that enables crippling attacks."
The spoofing enabled by UDP makes it difficult for defenders to see exactly what commands attackers send in any specific reflection DDoS. So the Akamai researchers don't know specifically what was in the tailored packets hackers sent to trigger the attack on the gaming client. But in its own research, the Akamai team was able to craft smaller and smaller exploits that would generate larger and larger attacks. Criminal hackers are likely not far behind. The Akamai researchers also point out that if botnet operators start automating the process of generating WS-Discovery DDoS attacks, the barrages will crop up even more. Mursch says he sees evidence that's already happening.
Akamai Prolexic fended off the 35 Gbps attack, and its client didn't have any downtime during the assault. But the researchers say that the industry needs to be prepared for bigger versions in the future. As with the infamous Mirai botnet that conscripted vulnerable Internet of Things devices to join a zombie gadget army, it will be difficult to fix the population of exposed WS-Discovery devices that's already out there.
And though video game platforms are some of the most popular targets for DDoS attacks, it's not unheard of for a surprise technique to catch defenders off guard and lead to downtime. At the beginning of September, for example, Blizzard's immensely popular World of Warcraft Classic went down sporadically for hours because of a DDoS attack. And the massive 2016 DDoS attacks that took down internet giants like Dyn and OVH were originally launched to target Minecraft.
"With gaming, they are one of our most frequently attacked industries," Akamai's Seaman says. "We have a handful of different gaming customers that we protect and we basically see the full gamut of all the different attack vectors and exploratory attacks through them. So it’s not surprising to see them being the first ones being targeted with a new vector."
The fear about WS-Discovery DDoS attacks, though, is that the gaming industry won't be the last target.