[Emerging-Sigs] WS-Discovery Reflective DDoS

Jake Warren jake.warren at masergy.com
Wed Aug 28 10:34:09 HDT 2019


Hello all,

Submitting a rough rule for WSDD reflective DDoS attacks. I could use some
help testing/refining the rule. I would also like to have a rule to detect
devices responding & participating in the attack but I am not sure the best
way to go about it; maybe trigger on services responding with multiple
fault messages, or SOAP messages to outbound service ports (1:1024).

# NOTE: needs testing to determine threshold
alert udp $EXTERNAL_NET any -> $HOME_NET 3702 (msg:"WSDD DDoS Amp In
(PoC-based)"; dsize:3; content:"|3c aa 3e|"; reference:url,
zero.bs/new-ddos-attack-vector-via-ws-discoverysoapoverudp-port-3702.html;
sid:1; rev:1;)

References:
https://zero.bs/new-ddos-attack-vector-via-ws-discoverysoapoverudp-port-3702.html
https://www.zdnet.com/article/protocol-used-by-630000-devices-can-be-abused-for-devastating-ddos-attacks/

Thanks,
Jake Warren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190828/3ec38498/attachment.html>


More information about the Emerging-sigs mailing list