Keeping Up with DDoS: Another Endless Front in the War

A few months ago, a friend suggested I donate money to Planned Parenthood in honor of a particular politician who shall remain nameless. The idea was to have this official, who is opposed to Planned Parented, get thousands of “thank you for your generous support” letters from an organization he wants to obliterate. Ha ha. That’ll teach him!

I didn’t do it, but it turns out this mode of attack appeals to hackers. The digital version of this sort of nuisance campaign is now working to disrupt computer networks. It involves spoofing the Web Services Dynamic Discovery (WS-Discovery) protocol to flood some unlucky organization with hundreds of thousands of messages—a new kind of Distributed Denial of Service (DDoS) attack.

A10 Networks published a threat advisory about WS-Discovery in September. I spoke with Don Shin, Sr. Product Marketing Manager at A10, about it shortly afterward. Listening to the description of the attack vector found me reliving an earlier time in my career, but in a bizarro world where everything good was now bad. Back in the early 2000s, when the tech world was positively on fire about the potential for SOAP-based Web Services and the Service-Oriented Architecture (SOA), I was VP of MarCom for a prominent, venture-backed company in the space.

SOA, which was the basis for an entire generation of service-oriented platforms like Microsoft .NET, BEA (now Oracle) WebLogic, IBM WebSphere and SAP NetWeaver. The idea, which was revolutionary at the time, was to make all application integration based on open XML-based standards rather than proprietary protocols.

It worked, up to a point. Today’s RESTful APIs have mostly taken over, but there are many thousands of systems now using the SOAP protocol to exchange data and procedure calls through SOAP XML Web Services. Unfortunately, these services are now being used to mount DDoS attacks.

As Shin explained, hackers have seized on the WS-Discovery protocol for DDoS. WS-Discovery was originally touted as a way for systems to find Web Services on a network. This aligned with the open, standards-based ethos of the SOA. As a lot of sad experience has shown, however, openness can be exploited for malicious purposes. WS-Discovery uses TCP and UDP ports 3702 to respond to a multicast address. The address gives information on services provided in the network.

Once obscure, WS-Discovery found an enriched life through ONVIF, an organization of device makers like Sony and Bosch. They use the protocol to enable devices like digital cameras and printers to discover each other on networks. A great ZDNet article explains this story in depth, if you’re interested. There are two big takeaways: At least 600,000 devices on ONVIF can be spoofed by attackers using WS-Discovery to blast a target with messages at the same time. The XML excerpt in the figure shows what this looks like.

SOAP XML “envelope” containing a DDoS attack instructions by spoofing the WS-Discovery protocol (Source: A10 Networks)

The hacking technique involves spoofing a WS-Discovery message seeking confirmation of a Web Service availability—inserting the target’s IP address into the SOAP XML “envelope.” Like the Planned Parenthood thank you notes, they crash into the target’s networks and shut it down. But, not for long…

For companies like A10, the WS-Discovery attack is just one more DDoS threat vector to mitigate. The A10 suite engages in threat intel for a slew of such attack techniques. Now aware of the WS-Discovery attack, the A10 technology can detect an incipient WS-Discovery attack and shut it down before it has an impact. The company also maintains a sophisticated database of suspicious IP addresses and other elements that may comprise a DDoS attack.

“We take a proactive approach,” said Shin. “Our knowledge base of DDoS attackers is always expanding. It’s a constant battle, but we are always getting better at removing ‘dirty traffic’ from the network. This now includes defending against WS-Discovery attacks.”