CVE-2023-29552: Abusing the SLP Protocol to Launch Massive DDoS Amplification Attacks

 


What is SLP protocol?

Service Location Protocol (SLP) is a network protocol designed to simplify the process of discovering and accessing network services. Developed by the Internet Engineering Task Force (IETF) and defined in RFC 2608, SLP eliminates the need for users or administrators to manually configure clients with the addresses of available network services. Instead, it allows devices and applications to automatically find and connect to services in their local area networks (LANs). Since the SLP protocol doesn’t require authentication, anyone can register new services, which is why it wasn’t intended to be publicly available over the Internet.

How Does SLP Work?

SLP operates based on a request-response model that involves three primary components: User Agents (UAs), Service Agents (SAs), and Directory Agents (DAs).

  • User Agents (UAs): UAs are clients seeking network services. They send out service requests to discover the available services in the network.
  • Service Agents (SAs): SAs represent the network services themselves. They advertise the services they offer and respond to service requests from UAs.
  • Directory Agents (DAs): DAs act as a centralized repository for service information. They cache the advertisements from SAs, and UAs can query them to find the desired services more efficiently. Although DAs are optional, their presence improves the overall performance of the SLP system.

Understanding How CVE-2023-29552 Works

The attack technique allows an unauthenticated, remote attacker to register arbitrary services. This would enable the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor.

The researchers uncovered a novel technique in which attackers can register new bogus services until the SLP servers are overwhelmed and deny more entries.

Attackers can then send requests to the SLP server to list its services, forging the source IP as the victim’s IP. The vulnerable SLP servers then send the SLP reply packets which contain the list of bogus services. This results in a massive DDoS amplification attack that could potentially reach an amplification magnitude of up to 2,200X.Assuming each reply packet from one exposed SLP server could be up to 64,000 bytes long, or higher, an attacker would need to send a server listing request simultaneously to 2,000 SLP servers. That’s less than 10% of all publicly exposed SLP servers. This would enable the attacker to overwhelm any IP with a whopping 1Gbps of malicious traffic that consists of the replies from the SLP servers.

In theory, SLP servers are capable of replying to multiple requests simultaneously. It is estimated that there are 33,000 exposed servers on the internet; therefore, this attack technique could be quite massive.

E.R

Comments

Popular posts from this blog

CISA and ENISA enhance their Cooperation

Top Five Most Exploited Vulnerabilities in January 2024

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes