New DDoS attack vector: SLP vulnerability enables amplification attacks with factor 2,200 

SECURITY INSIGHTS | 27. April 2023

It will likely not be long before cybercriminals abuse one of the more than 50,000 vulnerable SLP instances visible on the Internet for volumetric attacks. Myra customers can rest easy, however.

Security researchers from Bitsight and Curesec have discovered a vulnerability in the Service Location Protocol (SLP). Attackers could exploit the vulnerability for multiply amplified volumetric DDoS attacks using spoofed sender addresses. Distributed Reflected Denial of Service (DRDoS) attacks with an amplification factor of up to 2,200 are possible via vulnerable SLP instances. Myra Security customers are also automatically protected against this new attack vector – regardless of whether they use our Application Security or our Network & Infrastructure Security.

SLP is a service discovery protocol introduced in 1997 that allows computers and other devices to find services on a local area network such as printers, file servers, and other network resources. It was never designed for use on the public Internet. Nevertheless, more than 54,000 SLP instances were accessible online via UDP port 427 in February. All of them could now be abused for attacks. Many of these SLP services visible on the Internet appear to be older and probably abandoned systems. Administrators should therefore disable network access to SLP servers or block UDP and TCP port 427 as a precaution.

The newly discovered vulnerability, CVE-2023-29552 (CVSS score: 8.6), affects more than 2,000 organizations worldwide, according to security researchers. The vulnerability is found in more than 670 product types, including VMware ESXi hypervisor, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM) and SMC IPMI. The top ten countries with the most vulnerable SLP instances include the US, the UK, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.

From a technical perspective, a DRDoS attack is a special form of DDoS. Here, the malicious requests do not originate directly from the attacker himself or from a botnet set up for this purpose, but from regular Internet services. Criminals weaponize these by abusing Internet protocols. For example, they can use IP spoofing (sending IP packets with a fake IP sender address) to manipulate web services to redirect traffic to a specific target. By doing this, the attackers disguise the actual origin of the DDoS attack and at the same time provide a massive increase in the bandwidth fired.

DRDoS attacks are usually carried out via high-amplification reflectors such as DNS services, which answer the attackers' short queries with large data packets. In this way, such reflection attacks amplify the effect of the attacks by a multiple, which is why they are alternatively referred to as amplification attacks – as in the case of SLP.

Myra customers can rest easy: Our DDoS protection automatically filters out attack traffic such as fragmented UDP, preventing customer lines from being flooded in the first place. Should an attack occur from port 427, malicious traffic can be isolated and valid traffic can continue to reach the customer server thanks to separate filtering rules.