WS-Discovery reflected DDoS (3702 UDP – fragmented – amplified)

Was going to provide some infos about this new attack fingerprint I’ve been seeing in the past few days generating decently sized volumetric attacks (50gbps+).

Service source this time is WS-Discovery (

Big variety of exploited appliances (many are IP surveillance systems)

Seems like Akamai have recently published plenty of informations and the news is already old:

TLDR: this is real and being exploited in the wild towards multiple targets.
Good news is that it can be mitigated with the usual ACL rule placed as early as possible in your network stack:

deny udp any any fragment

As usual make sure your ACL rule matches both the first and subsequent fragments (some HP switches are known to match only first fragment – quick test to verify if your network is properly denying UDP fragments)

If you make use of UDP fragments for legit purposes ( 😱 ) then you can add UDP port 3702 source to your deny ACL in order to stop at least the first fragment.
The subsequent ones will reach you anyway (and this reflection has an high amplification rate) so you would get the traffic transported within your network but at least it will not consume much cpu cycles as all those fragments cannot be rebuilt and will be discarded.
In such case you just need to make sure you have enough bandwidth across the whole path

Take care

Google cloud SQL – adding a new user with GRANT privilege

Google cloud sql does not support the



in order to create a new user with (almost) all the privileges access the cloud sql console and run these commands:

CREATE USER 'newuser'@'%' IDENTIFIED BY 'newpassword';
GRANT ALL ON `%`.* TO 'newuser'@'%' IDENTIFIED BY 'newpassword';

Those will create a user named “newuser” with password “newpassword” able to connect from every host and able to create new users while granting them access to other databases