CVE-2023-29552 - Service Location Protocol (SLP) Amplification Attacks Explained
In April 2023, security researchers revealed a dangerous vulnerability in the Service Location Protocol (SLP), documented as CVE-2023-29552. This vulnerability lets attackers use SLP to amplify denial-of-service (DoS) attacks through spoofed UDP packets. Even worse, the amplification factor can reach up to 220x, making SLP-based attacks far more dangerous.
Let's break down what SLP is, how the attack works, look at a simple proof-of-concept, and explore ways to protect your systems.
What is SLP?
SLP or Service Location Protocol (defined in RFC 2608) is a network protocol for automatically discovering services (like printers or file shares) on a local network. Devices use SLP via UDP, often without authentication, making it easy for attackers to exploit.
How Does the Attack Work?
The vulnerability exists because SLP services by default do not require authentication and will allow any client to register arbitrary services. Attackers can abuse these features in two steps:
1. Register Large Services: Attackers send many SLP “service registration” requests, adding huge data blobs or many fake entries.
2. Trigger DoS Amplification: Next, they send a small, spoofed lookup request (pretending to be from the victim). The vulnerable SLP server replies with all registered services—potentially sending a huge response to the victim, overwhelming their network with amplified traffic.
Here’s a simplified diagram
Attacker SLP Server Victim
| Register fake services | |
|------------------------------------->| |
| Spoofed 'find services' request | |
|------------------------------------->| |
| |-- large response ->|
Because the lookup request is so small but the response can be massive, attackers achieve up to 220x amplification.
Proof-of-Concept Code
Below is a Python snippet to illustrate how an attacker might register a dummy service using SLP (UDP port 427). This is for educational purposes only. Conducting unauthorized testing is illegal.
import socket
SLP_SERVER = '192..2.1' # Replace with target server's IP
SLP_PORT = 427
# SLP Service Registration packet (simplified)
packet = b'\x02\x03\x00\x10\x00\x00\x00\x00' # version, function id, length, etc.
packet += b'service:foo://malicious' + b'\x00' # Fake service URL
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(packet, (SLP_SERVER, SLP_PORT))
print("Fake service registration sent.")
After many such registrations, a crafted "service request" with a spoofed source address (the attacker pretends to be the victim) can trigger the amplification.
Real-World Impact
Attackers are already scanning the internet for SLP servers. In Shadowserver's report, over 54,000 vulnerable SLP endpoints were found, offering over 7 terabytes per second of potential attack bandwidth.
References
- CVE-2023-29552 - NIST
- Shadowserver SLP Analysis
- RFC 2608 (SLP)
Disable SLP on devices unless strictly needed, especially on internet-facing servers.
- Patch and update firmware/software where vendors release fixes.
Example for firewall (Linux iptables)
sudo iptables -A INPUT -p udp --dport 427 -j DROP
Conclusion
CVE-2023-29552 is a textbook example of how simple, overlooked services can create major security risks. The SLP protocol was designed for convenience, but its lack of authentication made it ripe for abuse. Massive amplification turns minor UDP requests into huge traffic floods, easily weaponized in DDoS attacks.
Take action: Audit your networks, disable unused services, and always follow the "default deny" principle on your firewalls.
For more in-depth technical details and active mitigations, refer to the original advisories.
Timeline
Published on: 04/25/2023 16:15:00 UTC
Last modified on: 05/04/2023 19:07:00 UTC