Was going to provide some infos about this new attack fingerprint I’ve been seeing in the past few days generating decently sized volumetric attacks (50gbps+).
Service source this time is WS-Discovery (https://en.wikipedia.org/wiki/WS-Discovery)
Big variety of exploited appliances (many are IP surveillance systems)
Seems like Akamai have recently published plenty of informations and the news is already old:
https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html
TLDR: this is real and being exploited in the wild towards multiple targets.
Good news is that it can be mitigated with the usual ACL rule placed as early as possible in your network stack:
deny udp any any fragment
As usual make sure your ACL rule matches both the first and subsequent fragments (some HP switches are known to match only first fragment – quick test to verify if your network is properly denying UDP fragments)
If you make use of UDP fragments for legit purposes ( 😱 ) then you can add UDP port 3702 source to your deny ACL in order to stop at least the first fragment.
The subsequent ones will reach you anyway (and this reflection has an high amplification rate) so you would get the traffic transported within your network but at least it will not consume much cpu cycles as all those fragments cannot be rebuilt and will be discarded.
In such case you just need to make sure you have enough bandwidth across the whole path
Take care