MEDIUM: Accessible WS-Discovery Service Report

DESCTIPTION LAST UPDATED: 2024-01-01

DEFAULT SEVERITY LEVEL: MEDIUM

Introduction

This report identifies accessible WS-Discovery services on port 3702/udp. As described on Wikipedia, Web Services Dynamic Discovery (WS-Discovery) is a technical specification that defines a multicast discovery protocol to locate services on a local network.

The WS-Discovery service is known to be a potential UDP message amplifier that has been abused for reflected DDoS attacks since 2019 (see observations from Akamai and Trend Micro).

As of 2023-03-14 we find 17621 servers on IPv4, with an average amplification factor of  293 and median amplification factor of 305.

How we scan 

We scan by sending 5 byte malformed WS-Discovery packet containing a <:/> payload,  as used in the Phenomite research WS-Discovery DDoS amplification.

We do not perform any intrusive checks on a discovered service.

Dashboard

You can track latest WS-Discovery scan results on the Shadowserver Dashboard.

You can also track WS-Discovery DDoS amplification abuse on our Dashboard, as seen by honeypot sensors.

Mitigation

Block port 3702/udp from the public Internet.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report has an IPv4.

Filename: scan_ws_discovery

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always UDP)
  • port
    Port that the response came from (typically port 3702)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to "ws-discovery"
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the IP belongs to
  • response_size
    Raw response size
  • amplification
    Response size divided by 5 and limited to 2 significant digits
  • error
    This is a generalized field, since the error message can show up in at least 7 different locations in the XML response and sometimes the error field is there, but unpopulated. If we get an error in any of the fields, that text is populated in this field. In the event that we get a valid response to our malformed probe, we fill the field with valid xml response
  • raw_response
    Base64 encoded version of the raw xml blob that we received in response to our probe.

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","response_size","amplification","error","raw_response"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,3702,node01.example.com,ws-discovery,64512,ZZ,Region,City,0,ptr,,989,197.80,"Validation constraint violation: SOAP message expected",NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:01",medium,192.168.0.2,udp,3702,node02.example.com,ws-discovery,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",732,146.40,"Validation constraint violation: SOAP message expected",NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:02",medium,192.168.0.3,udp,3702,node03.example.com,ws-discovery,64512,ZZ,Region,City,0,,,631,126.20,"Validation constraint violation: missing root element",NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=

Our 132 Report Types