MEDIUM: Accessible WS-Discovery Service Report

DESCTIPTION LAST UPDATED: 2024-01-01

DEFAULT SEVERITY LEVEL: MEDIUM

Introduction

This report identifies accessible WS-Discovery services on port 3702/udp. As described on Wikipedia, Web Services Dynamic Discovery (WS-Discovery) is a technical specification that defines a multicast discovery protocol to locate services on a local network.

The WS-Discovery service is known to be a potential UDP message amplifier that has been abused for reflected DDoS attacks since 2019 (see observations from Akamai and Trend Micro).

As of 2023-03-14 we find 17621 servers on IPv4, with an average amplification factor of 293 and median amplification factor of 305.

How we scan

We scan by sending 5 byte malformed WS-Discovery packet containing a <:/> payload, as used in the Phenomite research WS-Discovery DDoS amplification.

We do not perform any intrusive checks on a discovered service.

Dashboard

You can track latest WS-Discovery scan results on the Shadowserver Dashboard.

You can also track WS-Discovery DDoS amplification abuse on our Dashboard, as seen by honeypot sensors.

Mitigation

Block port 3702/udp from the public Internet.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report has an IPv4.

Filename: scan_ws_discovery

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that response came on (always UDP)
port

Port that the response came from (typically port 3702)
hostname

Reverse DNS name of the device in question
tag

Tag set to "ws-discovery"
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
sector

Sector the IP belongs to
response_size

Raw response size
amplification

Response size divided by 5 and limited to 2 significant digits
error

This is a generalized field, since the error message can show up in at least 7 different locations in the XML response and sometimes the error field is there, but unpopulated. If we get an error in any of the fields, that text is populated in this field. In the event that we get a valid response to our malformed probe, we fill the field with valid xml response
raw_response

Base64 encoded version of the raw xml blob that we received in response to our probe.

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","response_size","amplification","error","raw_response"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,3702,node01.example.com,ws-discovery,64512,ZZ,Region,City,0,ptr,,989,197.80,"Validation constraint violation: SOAP message expected",NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:01",medium,192.168.0.2,udp,3702,node02.example.com,ws-discovery,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",732,146.40,"Validation constraint violation: SOAP message expected",NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:02",medium,192.168.0.3,udp,3702,node03.example.com,ws-discovery,64512,ZZ,Region,City,0,,,631,126.20,"Validation constraint violation: missing root element",NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=

Our 131 Report Types

« Back to Network Reporting