[Emerging-Sigs] WS-Discovery Reflective DDoS

Jake Warren jake.warren at masergy.com
Wed Aug 28 10:34:09 HDT 2019

Hello all,

Submitting a rough rule for WSDD reflective DDoS attacks. I could use some
help testing/refining the rule. I would also like to have a rule to detect
devices responding & participating in the attack but I am not sure the best
way to go about it; maybe trigger on services responding with multiple
fault messages, or SOAP messages to outbound service ports (1:1024).

# NOTE: needs testing to determine threshold
alert udp $EXTERNAL_NET any -> $HOME_NET 3702 (msg:"WSDD DDoS Amp In
(PoC-based)"; dsize:3; content:"|3c aa 3e|"; reference:url,
sid:1; rev:1;)


Jake Warren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190828/3ec38498/attachment.html>

More information about the Emerging-sigs mailing list