Hacking

SLP flaw allows DDoS attacks with an amplification factor as high as 2200 times

A flaw in the Service Location Protocol (SLP), tracked as CVE-2023-29552, can allow to carry out powerful DDoS attacks.

A high-severity security vulnerability (CVE-2023-29552, CVSS score: 8.6) impacting the Service Location Protocol (SLP) can be exploited by threat actors to conduct powerful volumetric DDoS attacks.

The Service Location Protocol (SLP) is a legacy service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration. 

Researchers from Bitsight and Curesec reported that attackers exploiting this flaw can leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks. The experts pointed out that the flaw can allow achieving an amplification factor as high as 2200 times, which is one of the largest amplification attacks ever reported. 

The vulnerability impacts more than 2,000 organizations worldwide and over 54,000 SLP instances that are publicly exposed to the Internet, including VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types.

Bitsight reported the flaw to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and impacted organizations.

In a reflective DoS amplification attack, the attacker sends small requests to a server with the spoofed source IP address of the victim. In turn, the server replies to the victim’s IP address, sending much larger responses than the requests, generating large amounts of traffic to the victim’s system.

“Reflection coupled with service registration significantly amplifies the amount of traffic sent to the victim. The typical reply packet size from an SLP server is between 48 and 350 bytes. Assuming a 29 byte request, the amplification factor — or the ratio of reply to request magnitudes — is roughly between 1.6X and 12X in this situation.” reads the analysis published by Bitsight. “However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X due to the roughly 65,000 byte response given a 29 byte request.”

The steps to conduct a reflective DoS amplification attack exploiting this flaw are:

  • Step 1: The attacker finds an SLP server on UDP port 427.
  • Step 2: The attacker registers services until SLP denies more entries..
  • Step 3: The attacker spoofs a request to that service with the victim’s IP as the origin.
  • Step 4: The attacker repeats step three as long as the attack is ongoing.

New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) | Bitsight

The experts warn that threat actors will start conducting reflective DoS amplification attacks leveraging CVE-2023-29552 in the coming weeks.

Most of vulnerable SLP instances are in the U.S., the U.K., Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.

“To protect against CVE-2023-29552, SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet. If that is not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.” concludes the report.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SLP)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

33 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

22 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.