A recently disclosed vulnerability, CVE-2023-29552 (disclosed April 25, 2023), has revealed a new kind of DDoS attack using the Service Location Protocol (Port 427; primarily UDP, but can also be TCP). SLP allows an unauthenticated remote attacker to register arbitrary services, enabling spoofed UDP traffic to conduct a DDoS with an amplification factor as high as 2200 times, making it one of the largest amplification attacks ever reported.
How an Amplification Attack Works
In an amplification attack, the attacker sends small requests to a server while spoofing the victim's IP address. Any replies from the server are then sent to the victim; much larger in size, generating massive amounts of traffic and resulting in Denial of Service. The 2200x factor here means a tiny request can trigger a response thousands of times larger, directed entirely at the target.
How to Protect Against It
The most effective mitigation is to disable Port 427, especially on internet-facing devices and systems. Additional protections include:
- Setting up network security controls such as firewalls
- Implementing strong access control policies
- Auditing which services are exposed to the internet and removing unnecessary ones
If you manage any infrastructure that uses SLP, patch or disable it as soon as possible.
Originally published on LinkedIn.