A new reflective Distributed-Denial-of-Service (DDoS) amplification vulnerability was recently discovered in the Service Location Protocol (SLP), which allows attackers to achieve a high amplification factor of over 2,200 times. This vulnerability has been identified as CVE-2023-29552, potentially making it one of the largest amplification attacks ever recorded.
SLP is a protocol that provides a dynamic configuration mechanism for applications on local area networks. It is designed to enable devices in a local area network to interact without prior knowledge of each other, including printers, file servers, and other network resources. Daemons providing SLP are bound to the default port 427, both UDP and TCP. There is no doubt that the SLP should never be exposed to the public Internet. However, a recent scan of the entire Internet revealed that there are more than 35,000 Internet endpoints have their devices’ SLP service exposed, which belong to organizations across various sectors and geographies. Cybercriminals can easily turn a 29-byte request into the roughly 65,000-byte response that is aimed at the target, achieving a maximum amplification factor of 2,200x. In the real attack scenario, the extremely high amplification factor in reflective DoS amplification attacks allows cybercriminals with very limited resources to significantly impact a targeted server and result in financial loss. Organizations must implement appropriate security measures immediately to safeguard their networks and servers from being used in such attacks.
Recommendations
1. NSFOCUS recommends disabling SLP on systems connected to the public internet.
2. Blocking network traffic on UDP and TCP port 427 through access control lists on Anti-DDoS or Firewall products is recommended.
3. VMware users are advised to upgrade to a supported release that is not vulnerable to the CVE-2023-29552 vulnerability.
How Can NSFOCUS Help?
1. The NSFOCUS expert team has updated the latest rules on the cloud detection rules library. NTA users can improve their security protection capabilities by enabling the Detection Rule Upgrade Function (R90F04).
2. NTA users can implement the network traffic monitoring function on UDP and TCP port 427 to identify malicious activities and take timely preventive measures.
3. ADS users can implement amplification protection rules into their protection groups. NSFOCUS Threat Intelligence subscribers will obtain additional protection with the TI database to always stay ahead of emerging threats.
