DDoS amplification

SLP: a new DDoS amplification vector in the wild

@ndma 27 Apr 2023

Threat Actor

unknown

Description

Researchers from Bitsight and Curesec jointly discovered CVE-2023-29552 (CVSS 8.6). If exploited, CVE-2023-29552 allows an attacker to leverage vulnerable instances to launch a DoS attack — sending massive amounts of traffic to a victim — via a reflective amplification attack.

Reflection coupled with service registration significantly amplifies the amount of traffic sent to the victim. The typical reply packet size from an SLP server is between 48 and 350 bytes. Assuming a 29-byte request, the amplification factor — or the ratio of reply to request magnitudes — is roughly between 1.6X and 12X in this situation. However, SLP allows an unauthenticated user to register arbitrary new services, meaning an attacker can manipulate both the content and the size of the server reply, resulting in a maximum amplification factor of over 2200X due to the roughly 65,000 byte response given a 29-byte request. This extremely high amplification factor allows for an under-resourced threat actor to have a significant impact on a targeted network and/or server via a reflective DoS amplification attack.

Typical reflective DoS amplification attack:

  • Step 1: The attacker finds an SLP server on UDP port 427.

  • Step 2: The attacker spoofs a request to that service with the victim's IP as the origin.

  • Step 3: The attacker repeats step two as long as the attack is ongoing.

Reflective DoS amplification attack leveraging CVE-2023-29552:

  • Step 1: The attacker finds an SLP server on UDP port 427.

  • Step 2:The attacker registers services until SLP denies more entries..

  • Step 3: The attacker spoofs a request to that service with the victim's IP as the origin.

  • Step 4: The attacker repeats step three as long as the attack is ongoing.

Product/Vendor Amplification Factor Planex Routers 2200x IBM Integrated Management Module (IMM) 2200x Konica Minolta printers 1180x VMWare ESXi hypervisor 300x

Reference

https://blog.cloudflare.com/slp-new-ddos-amplification-vector/ https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp https://curesec.com/blog/article/CVE-2023-29552-Service-Location-Protocol-Denial-of-Service-Amplification-Attack-212.html

PreviousClop and LockBitNext‘AuKill’ EDR killer malware

Last updated