High-Severity SLP Flaw Can Amplify DDoS Attacks up to 2,200 Times

More than 2,000 global organizations — including Fortune 1,000 companies — are at risk to reflective DDoS attacks that exploit a vulnerability discovered in the legacy Internet protocol.

Image shows someone sitting at a table holding a tablet with a screen showing "Warning DDoS" in black writing in a yellow box
Source: Kirill Ivanov via Alamy Stock Photo

A newly discovered, high-severity flaw in a legacy Internet protocol used by various enterprise products can allow for attackers to amplify distributed denial-of-service (DDoS) attacks up to 2,200 times — one of the largest amplification attacks ever recorded, researchers have found.

The flaw, tracked as CVE-2023-29552, is found in the Service Location Protocol (SLP), a largely outdated network-discovery protocol that is still used by some routers, virtual machines, printers, and other technology.

Researchers Pedro Umbelino from Bitsight and Marco Lux from Curesec jointly discovered the vulnerability, which they said allows for a reflective amplification attack, according to a blog post by Bitsight's Noah Stone, published April 25.

"CVE-2023-29552 is a threat that can potentially impact business continuity and result in financial loss, even if an attacker has limited resources," he warned.

In a reflective amplification DDoS attack, a threat actor typically sends small requests to a server with a spoofed source IP address that corresponds to the victim's IP address, garnering responses to that address that are much larger than the requests, the researchers explained. This generates large amounts of traffic to the victim's system, they said.

"The attacker is simply tricking systems on the Internet — not necessarily owned by the target — to send mass amounts of traffic to the target," Stone wrote in the post.

Outdated but Not Unused

While SLP has largely been replaced by modern alternatives like UPnP, mDNS/Zeroconf, and WS-Discovery, a number of commercial products still offer the protocol, researchers from Cloudflare said in a blog post about the discovery published April 25. However, SLP has no method for authentication and thus should never be exposed to the public Internet, they said.

Despite this, in February 2023, Bitsight and Curesec researchers identified more than 2,000 global organizations and more than 54,000 SLP instances — including VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), and Supermicro IPMI — that attackers potentially can abuse to launch DoS attacks on global organizations, they said.

Moreover, the researchers identified a number of Fortune 1,000 organizations as having instances vulnerable to the SLP flaw, with the US the top nation affected by the potential risk, followed by the United Kingdom, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain.

For its part, VMware responded to the news of the flaw and the possibility that some of its products may be affected with a statement of its own, acknowledging that ESXi releases such as 6.7 and 6.5, which have reached the end of general support, are indeed affected by the flaw.

"VMware recommends that the best option to address CVE-2023-29552 is to upgrade to a supported release line that is not impacted by the vulnerability," the company said. This would include any 7.x or 8.x version of ESXi, according to VMware.

"ESXi 7.0 U2c and newer, and ESXi 8.0 GA and newer, ship with the SLP service hardened, disabled by default, and filtered by the ESXi firewall," the company said.

Exploiting SLP to Amplify an Attack

A reflective amplification DDoS attack that exploits CVE-2023-29552 would use reflection coupled with service registration to significantly amplify the amount of traffic sent to the victim, the Bitsight and Curesec researchers explained.

The typical reply packet size from an SLP server is between 48 and 350 bytes, they said. If you take a 29-byte request, the amplification factor — or the ratio of reply to request magnitudes — would roughly be between 1.6X and 12X.

However, since SLP does not require authentication, it allows an unauthenticated user to register arbitrary new services, the researchers said. This means that an attacker can manipulate both the content and the size of the server reply. The end result is a maximum amplification factor of more than 2,200 times |"due to the roughly 65,000-byte response given a 29-byte request," Stone wrote.

"This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflective DoS amplification attack," he wrote.

Dangers of DDoS

Always dangerous because of the havoc they can wreak on an organization's ability to do business — causing service interruptions that cause financial, reputational, and operational harm — DDoS attacks have once again moved to the forefront in recent years.

This is in part due to their being used as a cyber weapon by hackers in the conflict in Ukraine, where threat actors have employed them to attempt to disrupt communications and military operations. In fact, the first half of 2022, when the war began, saw an alarming frequency of DDoS attacks, with Netscout reporting more than 6 million in its "DDoS Threat Intelligence Report," published late last year.

Indeed, given the criticality of the vulnerability and the potential consequences resulting from exploitation of the SLP flaw, Bitsight and Curesec researchers coordinated public disclosure efforts with the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), as well as affected organizations.

Bitsight also engaged with DoS teams at major IT service management companies to help with remediation, while the CISA conducted extensive outreach to potentially impacted vendors, as well as put out a release of its own on the issue.

Mitigation and Defense

For organizations that could be using technology that supports SLP and can be accessed from the Internet, the obvious but perhaps difficult-to-achieve solution to mitigate risk from attackers exploiting the flaw is to update any affected product to a modern version that doesn't use SLP.

If this isn't possible, the researchers recommended disabling SLP on all systems running on untrusted networks, such as those directly connected to the Internet. If even that is not possible, then organizations should configure firewalls to filter traffic on UDP and TCP port 427, they said, which will prevent external attackers from accessing the SLP service.

Organizations also should enforce strong authentication and access controls that closely monitor and audit access, allowing only authorized users to access the correct network resources, the researchers said.

"Organizations should also have an incident response plan in place that clearly outlines procedures for mitigating SLP vulnerabilities," Stone advised, "as well as procedures for communicating with users and stakeholders in case of an incident."

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights