SLP Protocol Vulnerability Leads to Massive DDoS Attacks

Researchers discovered a vulnerability in an UDP-based network service called the Service Location Protocol (SLP) that can be abused to amplify DDoS attacks. Attackers could use the internet exposed system and their services to generate massive attacks and cleaning them up will likely take a very long time.

DDoS reflection is an attack technique that relies on sending traffic to a server and having it send its response to a different IP address. This type of attack usually works with communication protocols that are built on top of UDP, which along with TCP is one of the core protocols for transmitting data over the internet.

UDP was built for speed and doesn’t have additional checks in place, making it susceptible by design to source address spoofing. This means an attacker can send a UDP packet to a server but put a different source IP address in the packet instead of their own. This will cause the server to send their response to whatever source IP address was set.

DDoS amplification works with a variety of protocols including DNS, mDNS, NTP, SSDP, SNMP  and others because they all use UDP for transmission. Servers exposed to the internet that accept packets on those protocols and generate responses can therefore be abused for DDoS amplification and they historically have been used to generate some of the largest DDoS attacks to date.

The SLP is a legacy protocol that used on local networks for automated service discovery and dynamic configuration between applications. The SLP daemon on a system will maintain a directory of available services such as printers, file servers, and other network resources. It will listen to requests on UDP port 427.

Researchers identified over 54,000 devices that accept SLP connections on the internet. These devices belong to over 2,000 organizations from around the world and cover 670 different types of products, including VMware ESXi Hypervisor instances, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), and SMC IPMI.

The public SLP instances can be abused for DDoS amplification because attackers can query the available services on an SLP server, which is a 29-byte request, and the server reply will typically be between 48 and 350 bytes. That is an amplification factor of between 1.6X and 12X. It can be increased subsequently  up to the practical limit of UDP packets, which is 65,536 bytes.

All attackers must do is to first send packets to the SLP server to register new services until its buffer is full and the server doesn’t accept new registrations. Then they can proceed with a regular reflective attack by sending requests for service lists with a spoofed source IP address. This will result in a massive amplification factor of 2200X – 29-byte requests generating 65,000-byte responses.

The researchers coordinated the vulnerability disclosure through the US CISA, which issued its own alert. VMware has also issued an advisory for ESXi but noted that only end-of-life versions of the hypervisor are affected. The vulnerability is tracked as CVE-2023-29552 and has a CVSS severity rating of 8.6.

The countries with the largest number of vulnerable devices are the US, the UK, Japan, Germany, and Canada.

Mitigation

• SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet
• If can’t disabled, then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.

This  research was documented by researchers from Bitsight along with Curesec