WS-Discovery-Based DDoS Attacks

In May, security researchers at ZeroBS discovered that the WS-Discovery protocol was being exploited to launch small DDoS attacks. However, threat actors are now conducting massive attacks and have affected nearly 630,000 ONVIF devices, including IP cameras, printers, home appliances, and DVRs. The Web Services Dynamic Discovery (WS-DD, WSD, or WS-Discovery) protocol is a multicast protocol used on local networks to discover other nearby devices. The WS-Discovery protocol is ideal for launching DDoS attacks as packet source addresses can be spoofed and the response is larger than the initial input. The NJCCIC recommends users and administrators block port 3702 traffic from the internet for devices inside of their network. For more technical details, please review the ZeroBS article and the ZDNet article.