Abusing Service Location Protocol to cause never seen before 2,200x DDoS amplification attacks

Service Location Protocol (SLP) is an older Internet protocol that has been found to contain a critical security flaw, which has been assigned the identifier CVE-2023-29552. This flaw was identified jointly by researchers from Bitsight and Curesec. Attackers that take advantage of this vulnerability might use susceptible instances to perform enormous denial-of-service (DoS) amplification attacks with a factor that could reach as high as 2200 times, possibly making it one of the greatest amplification attacks that has ever been disclosed. They identified more than 2,000 global organizations and more than 54,000 SLP instances in February 2023. These instances included VMware ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and other devices. These instances could be used by attackers to potentially launch DoS attacks on organizations around the world that were unaware they were being targeted.

Due to the severity of the vulnerability and the possible ramifications that may arise as a result of its exploitation, Bitsight coordinated public disclosure efforts with the Cybersecurity and Infrastructure Security Agency (CISA) of the United States Department of Homeland Security as well as enterprises who were affected by the vulnerability. Bitsight has also enlisted the assistance of denial of service teams working for major IT service management organizations in order to remediate the issue. CISA carried out a substantial amount of outreach to suppliers that could be affected.

DoS amplification attacks consist of making a request to a susceptible device that contains the source IP address of the target of the attack, allowing the amount of the data to amplify inside the abused service up to the maximum point, and then releasing the reply to the victim when the maximum point has been reached.

Because the size of a typical reply packet from an SLP server ranges anywhere from 48 to 350 bytes, the amplification factor may reach up to 12 times without any alteration being performed on the data.

Nevertheless, by leveraging CVE-2023-29552, it is feasible to raise the server’s UDP response size by registering additional services until the response buffer is filled. This may be done until the vulnerability has been exploited.

An attacker may obtain a maximum amplification factor of 2,200x by carrying out these steps. As a result, a small request of 29 bytes can be transformed into a huge response of 65,000 bytes that is aimed to the target.

The most susceptible instances are located in the United States, Great Britain, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain. These instances are held by a number of Fortune 1000 firms that operate in the fields of technology, telecommunications, healthcare, insurance, finance, hospitality, and transportation.

Service Location Protocol (SLP) is an older internet protocol that was developed in 1997 for usage in local area networks (LAN). Its purpose was to facilitate simple connection and communication across various devices by using a system of service availability over UDP and TCP on port 427. SLP was designed for use on the internet.

SLP was never supposed to be used in a way that would be visible to the general public on the internet; yet, businesses have used it on tens of thousands of different devices throughout the years.

“Service Location offers an application’s local area network (LAN) a means for dynamically configuring the application’s settings. According to the protocol’s definition, “It is not a global resolution system for the entirety of the Internet; rather, it is intended to serve enterprise networks with shared services.”