- Arbor Networks - DDoS Experts
Service Location Protocol (SLP) Reflection/Amplification Attack Mitigation Recommendations
ASERT Threat Summary
Date/Time: April 26, 2023
Contributors: Chris Conrad, Richard Hummel, Pedro Umbelino, Marco Lux
The Service Location Protocol (SLP) is intended to allow the automated discovery of shared services within a local area network (LAN) without the need for prior configuration on the part of client systems. Its primary use to date has been to facilitate the identification and use of shared network printers. SLP-enabled nodes listen for service registration requests and service location queries on UDP/427 and TCP/427. While SLP is not specifically designed to prevent its use across the public internet, its intended scope of use is within private LANs.
In April 2023, security researchers from Bitsight and Curesec publicly disclosed a UDP reflection/amplification DDoS attack vector leveraging Internet-exposed SLP-enabled nodes. Due to the nature of the SLP service registration process, attackers can prime abusable SLP reflectors/amplifiers with sufficient numbers of arbitrary service descriptor entries to yield a maximum amplification ratio of 2200:1. Priming of abusable SLP reflectors/amplifiers can take place via UDP/427 or TCP/427.
ASERT researchers have identified a population of ~35,000 potentially abusable SLP reflectors/amplifiers accessible via the public internet. The majority of these SLP reflectors/amplifiers appear to be server-class computers running older, unpatched versions of the VMWare ESXi bare-metal hypervisor. VMWare have previously issued multiple advisories for compromise vulnerabilities associated with the SLP service running on unpatched ESXi servers, and there have been public reports of the active exploitation of these vulnerabilities.
SLP reflection/amplification DDoS attacks consist both of initial fragments sourced from UDP/427 as well non-initial UDP fragments (which do not have port numbers) on the reflector/amplifier – target leg of the attack path. The initial fragment component of the amplified attack traffic can be directed towards arbitrary target UDP ports of the attacker's choice.
The nature of this reflection/amplification vector, combined with the computing power and internet transit capacity available to a substantial proportion of abusable SLP reflectors/amplifiers, indicates that attackers can potentially launch extremely high-volume, high-impact SLP reflection/amplification DDoS attacks. SLP reflection/amplification can be leveraged in carpet-bombing DDoS attacks targeting one or more entire network address ranges.
Note that this reflection/amplification DDoS attack vector has been publicly disclosed as CVE-2023-29552.
The collateral impact of SLP reflection/amplification attacks is potentially significant for organizations whose internet-exposed VMWare ESXi servers or other SLP-enabled systems can be abused as DDoS reflectors/amplifiers. This may include partial or full interruption of all applications and services in all virtual machines (VMs) running on these systems, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of NATs and stateful firewalls, etc.
Blanket filtering of all UDP/427-sourced traffic by network operators may potentially overblock legitimate internet traffic, and also will not affect the fraction of attack traffic consisting of UDP non-initial fragments . Additionally, wholesale filtering of UDP non-initial fragments will disrupt legitimate DNS response traffic, and is therefore strongly contraindicated.
VMWare have provided patched software versions which prevent SLP-enabled ESXi servers from being abused as DDoS reflectors/amplifiers. VMWare customers should contact the vendor for remediation instructions. Operators of other SLP-enabled systems such as print servers should contact relevant vendors for remediation instructions.
Collateral impact to abusable SLP reflectors/amplifiers can alert network operators and/or end-customers to remove affected systems from DMZ networks or Internet Data Centers (IDCs), or to disable relevant UDP port-forwarding rules which allow specific UDP/427 traffic sourced from the public internet to reach these devices, thereby preventing them from being abused to launch reflection/amplification DDoS attacks.
Operators of internet-exposed systems which can be leveraged as SLP reflectors/amplifiers can prevent abuse of their systems to launch DDoS attacks by blocking incoming internet traffic destined for UDP/427 via access control lists (ACLs), firewall rules, and other standard network access control policy enforcement mechanisms.
Implementation of ingress and egress source-address validation (SAV; also known as anti-spoofing) can prevent attackers from launching reflection/amplification DDoS attacks.
Network operators should perform reconnaissance to identify and facilitate remediation of abusable SLP reflectors/amplifiers on their networks and/or the networks of their customers. Operators of VMware ESXi systems should proactively contact VMware in order to receive specific remediation instructions from the vendor. Operators of other SLP-enabled systems such as print servers should contact relevant vendors for remediation instructions.
SLP reflection/amplification DDoS attacks are sourced from UDP/427, and also include non-initial UDP fragments; this amplified attack traffic may be safely detected, classified, traced back, and mitigated using standard DDoS defense tools and techniques.
Flow telemetry and packet capture via open-source and commercial analysis systems can alert network operators and end-customers of SLP reflection/amplification attacks.
Destination-based remotely-triggered blackhole (D/RTBH), source-based remotely-triggered blackhole (S/RTBH), and intelligent DDoS mitigation systems can be used to mitigate these attacks. Access control lists (ACLs), firewall rules, and other standard network access control policy enforcement mechanisms can be used to suppress these attacks by blocking incoming network traffic destined for UDP/427 on relevant network address ranges.
Network operators should perform reconnaissance to identify and facilitate remediation of abusable SLP reflectors/amplifiers on their networks and/or the networks of their customers. Operators of VMware ESXi systems should proactively contact VMware in order to receive specific remediation instructions from the vendor.
Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural and operational Best Current Practices (BCPs) have been implemented, including situationally-specific network access policies which only permit internet traffic via required IP protocols and ports. Internet access network traffic to/from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties, and served via separate upstream internet transit links.
DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally-appropriate manner, including periodic testing to ensure that any changes to the organization’s servers/services/applications are incorporated into its DDoS defense plan. Organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.
It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack, and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. Critical ancillary supporting services such as authoritative and recursive DNS servers must be included in the plan.
Applicable Mitigation Mechanisms: Destination-based blackhole (D/RTBH), source-based remotely-triggered blackhole (S/RTBH), intelligent DDoS mitigation systems (IDMSes)
All potential DDoS attack mitigation/suppression measures described in this document *MUST* be tested and customized in a situationally-appropriate manner prior to deployment on production networks.
- Arbor Networks - DDoS Experts
- Attacks and DDoS Attacks