New DDoS amplification vector could enable massive attacks

Security researchers sounded the alert about a vulnerability in an UDP-based network service called the Service Location Protocol (SLP) that can be abused to amplify DDoS attacks. Tens of thousands of systems and devices have this service exposed to the internet. Attackers could use them to generate massive attacks, and cleaning them up will likely take a very long time.

Researchers from security firms Bitsight and Curesec found a vulnerability that allows attackers to exploit SLP endpoints in a specific way that will generate big responses and then reflect those responses toward victims.

How DDoS reflection attacks and DDoS amplification work

DDoS reflection is an attack technique that relies on sending traffic to a server and having it send its response to a different IP address. This type of attack usually works with communication protocols that are built on top of User Datagram Protocol (UDP), which along with Transmission Control Protocol (TCP) is one of the core protocols for transmitting data over the internet.

Unlike TCP, however, UDP was built for speed and doesn’t have additional checks in place, making it susceptible by design to source address spoofing. This means an attacker can send a UDP packet to a server but put a different source IP address in the packet instead of their own. This will cause the server to send their response to whatever source IP address was set.

In addition to the reflection effect, which hides the real originator of the traffic, with certain UDP-based protocols the resulting traffic can also be amplified meaning the generated response is much larger than the original request. This is known as DDoS amplification and is very useful for attackers because it allows them to generate more unsolicited traffic toward a target than they could if they send packets directly to it from the machines under their control.

DDoS amplification works with a variety of protocols including DNS (Domain Name System), mDNS (multicast DNS), NTP (Network Time Protocol), SSDP (Simple Service Discovery Protocol), SNMP (Simple Network Management Protocol) and others because they all use UDP for transmission. Servers exposed to the internet that accept packets on those protocols and generate responses can therefore be abused for DDoS amplification and they historically have been used to generate some of the largest DDoS attacks to date.

The SLP vulnerability

The Service Location Protocol (SLP) is a legacy protocol that dates back to 1997 and was meant to be used on local networks for automated service discovery and dynamic configuration between applications. The SLP daemon on a system will maintain a directory of available services such as printers, file servers, and other network resources. It will listen to requests on UDP port 427.

Even though SLP was not meant to be exposed outside local networks, researchers from Bitsight and Curesec identified over 54,000 devices that accept SLP connections on the internet. These devices belong to over 2,000 organizations from around the world and cover 670 different types of products, including VMware ESXi Hypervisor instances, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), and SMC IPMI.

As many other UDP-based protocols, public SLP instances can be abused for DDoS amplification because attackers can query the available services on an SLP server, which is a 29-byte request, and the server reply will typically be between 48 and 350 bytes. That is an amplification factor of between 1.6X and 12X. However, the researchers found that many SLP implementations allow unauthenticated users to register arbitrary new services on an SLP endpoint, therefore increasing subsequent server responses up to the practical limit of UDP packets, which is 65,536 bytes.

All attackers have to do is to first send packets to the SLP server to register new services until its buffer is full and the server doesn’t accept new registrations. Then they can proceed with a regular reflective attack by sending requests for service lists with a spoofed source IP address. This will result in a massive amplification factor of 2200X – 29-byte requests generating 65,000-byte responses.

Given the high number of affected products, the researchers coordinated the vulnerability disclosure through the US Cybersecurity and Infrastructure Security Agency (CISA), which issued its own alert. VMware has also issued an advisory for ESXi, but noted that only end-of-life versions of the hypervisor are affected. The vulnerability is tracked as CVE-2023-29552 and has a CVSS severity rating of 8.6 (High).

Mitigating the SLP vulnerability

“SLP should be disabled on all systems running on untrusted networks, like those directly connected to the Internet,” the researchers said. “If that is not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.”

CVE-2023-29552 is not the first vulnerability impacting SLP. VMware patched multiple flaws in its OpenSLP implementation in ESXi over the years and in 2021 it disabled the service by default in new releases. It is now advising all customers to disable the service, especially since ransomware gangs have started exploiting one of those vulnerabilities — a heap buffer overflow tracked as CVE-2021-21974.

The countries with the largest number of vulnerable devices are the US, the UK, Japan, Germany, and Canada. Unfortunately, since the devices are spread across so many organizations, it’s likely that a significant percentage of them will remain exposed to the internet for a long time to come, increasing chances that we’ll see DDoS attacks using SLP amplification soon.