DDoS attacks have been a problem for years, but a new vulnerability in the Service Location Protocol (SLP) could enable massive attacks with an amplification factor of up to 2200X. In this article, we’ll explain how DDoS attacks work, what SLP is, and how to mitigate the SLP vulnerability.
What is a DDoS attack?
DDoS (Distributed Denial of Service) attacks are one of the most popular cyber-attacks that hackers use to take down websites or disrupt online services. The goal of a DDoS attack is to flood a website or a network with an overwhelming amount of traffic, making it impossible for legitimate traffic to get through.
How do DDoS attacks work?
DDoS attacks typically involve multiple computers or devices that are infected with malware and under the control of an attacker. These infected devices, or “botnets,” are used to send a large amount of traffic to a targeted website or server. The result is a “denial of service” for legitimate users who are unable to access the targeted resource.
What is the Service Location Protocol (SLP)?
The Service Location Protocol (SLP) is a protocol that’s used to discover services on a network. It was developed in 1997 and is still in use today. SLP allows network devices to advertise their services, and other devices to discover them. For example, if you’re looking for a printer on your network, you can use SLP to discover it automatically.
What is the SLP vulnerability?
The SLP vulnerability is a new vulnerability that was discovered by security researchers from Bitsight and Curesec. The vulnerability allows attackers to exploit SLP endpoints in a specific way that will generate big responses and then reflect those responses toward victims.
How does the SLP vulnerability work?
The SLP vulnerability allows attackers to use SLP endpoints to generate massive attacks. Attackers can query the available services on an SLP server, which is a 29-byte request, and the server reply will typically be between 48 and 350 bytes. This is an amplification factor of between 1.6X and 12X. However, the researchers found that many SLP implementations allow unauthenticated users to register arbitrary new services on an SLP endpoint, therefore increasing subsequent server responses up to the practical limit of UDP packets, which is 65,536 bytes.
All attackers have to do is send packets to the SLP server to register new services until its buffer is full and the server doesn’t accept new registrations. Then they can proceed with a regular reflective attack by sending requests for service lists with a spoofed source IP address. This will result in a massive amplification factor of 2200X – 29-byte requests generating 65,000-byte responses.
What are the implications of the SLP vulnerability?
The SLP vulnerability could have significant implications for businesses that have devices with SLP endpoints exposed to the internet. Attackers could use these endpoints to generate massive DDoS attacks, making it difficult for businesses to operate online.
How can businesses mitigate the SLP vulnerability?
The researchers recommend disabling SLP on all systems running on untrusted networks, like those directly connected to the Internet. If that’s not possible, firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.
The SLP vulnerability is a significant vulnerability that could enable massive DDoS attacks. It’s important for businesses to take steps to mitigate this vulnerability, such as disabling SLP on untrusted networks and configuring firewalls to filter traffic on UDP and TCP port 427. By taking these steps, businesses can protect themselves from the potentially devastating effects of a DDoS attack.