Security researchers have sounded the alarm about a vulnerability in a UDP-based network service called Service Location Protocol (SLP) that can be abused to amplify DDoS attacks. Tens of thousands of systems and devices have this service exposed to the Internet. Attackers could use them to generate massive attacks, and cleaning them up will likely take a long time.
Researchers from security firms Bitsight and Curesec found a vulnerability that allows attackers to exploit SLP endpoints in a specific way that will generate large responses and then reflect those responses back to victims.
How DDoS reflection attacks and DDoS amplification work
DDoS reflection is an attack technique that relies on sending traffic to a server and having it send its response to a different IP address. This type of attack typically works with communication protocols that are built on top of the User Datagram Protocol (UDP), which along with the Transmission Control Protocol (TCP) is one of the basic protocols for transmitting data over ‘Internet.
Unlike TCP, however, UDP was built for speed and has no additional checks in place, making it susceptible by design to source address spoofing. This means that an attacker can send a UDP packet to a server but put a different source IP address in the packet instead of their own. This will cause the server to send its response to whatever source IP address is set.
In addition to the reflection effect, which hides the real origin of the traffic, with certain UDP-based protocols the resulting traffic can also be amplified, meaning that the response generated is much larger than the original request . This is known as DDoS amplification and is very useful for attackers because it allows them to generate more unsolicited traffic to a target than they could by sending packets directly from machines under their control.
DDoS amplification works with a variety of protocols including DNS (Domain Name System), mDNS (Multicast DNS), NTP (Network Time Protocol), SSDP (Simple Service Discovery Protocol), SNMP (Network simple network management) and others because they all use UDP for transmission. Therefore, servers exposed to the Internet that accept packets in these protocols and generate responses can be abused for DDoS amplification and have historically been used to generate some of the largest DDoS attacks to date.
The SLP vulnerability
The Service Location Protocol (SLP) is a legacy protocol that dates back to 1997 and was intended to be used on local networks for automated service discovery and dynamic configuration between applications. A system’s SLP daemon will maintain a directory of available services such as printers, file servers, and other network resources. It will listen for requests on UDP port 427.
Although SLP was not intended to be exposed outside local networks, Bitsight and Curesec researchers identified more than 54,000 devices that accept SLP connections on the Internet. These devices belong to more than 2,000 organizations worldwide and cover 670 different product types, including VMware ESXi hypervisor instances, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM) and SMC IPMI.
Like many other UDP-based protocols, public SLP instances can be abused for DDoS amplification because attackers can query the available services on an SLP server, which is a 29-byte request, and the server’s response typically will be between 48 and 350 bytes. This is an amplification factor of between 1.6X and 12X. However, the researchers found that many SLP implementations allow unauthenticated users to register arbitrary new services on an SLP endpoint, thereby increasing subsequent server responses up to the practical UDP packet limit of 65,536 bytes.
All attackers have to do is first send packets to the SLP server to register new services until its buffer is full and the server is no longer accepting new registrations. They can then proceed with a regular reflexive attack by sending service list requests with a spoofed source IP address. This will result in a massive amplification factor of 2200X – 29 byte requests generating 65,000 byte responses.
Given the high number of affected products, the researchers coordinated the disclosure of the vulnerability through the Cyber Security and Infrastructure Security Agency (CISA), which issued its own alert. VMware has also issued an advisory for ESXi, but noted that only end-of-life versions of the hypervisor are affected. The vulnerability is tracked as CVE-2023-29552 and has a CVSS Severity Score of 8.6 (High).
Mitigation of SLP vulnerability
“SLP should be disabled on all systems running on untrusted networks, such as those connected directly to the Internet,” the researchers said. “If this is not possible, then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.”
CVE-2023-29552 is not the first vulnerability to affect SLP. VMware fixed several flaws in its OpenSLP implementation on ESXi over the years, and in 2021 disabled the service by default in new releases. It is now advising all customers to disable the service, especially since ransomware gangs have begun exploiting one such vulnerability: a buffer overflow tracked as CVE-2021-21974.
The countries with the highest number of vulnerable devices are the United States, the United Kingdom, Japan, Germany, and Canada. Unfortunately, because devices are spread across so many organizations, it’s likely that a significant percentage of them will remain exposed to the Internet for a long time, increasing the chances that we’ll see DDoS attacks with SLP amplification soon.
Copyright © 2023 IDG Communications, Inc.
Source link
Recent research has shown that a new Distributed Denial of Service (DDoS) amplification vector could enable highly sophisticated and powerful cyberattacks. A DDoS attack is one of the most destructive weapons in the digital armory. It is used by malicious attackers to take down a website or otherwise paralyze an online service by overwhelming it with a surge of artificially generated traffic.
A new amplification vector can enable an attacker to send a greater volume of malicious traffic to their target, greatly amplifying the force of a potential attack. This could have an even greater impact on Internet services, potentially leading to disruptions in vital services and damage to websites, content, and data.
The research was conducted by a team of experts from the cybersecurity company Ikaroa, who looked into the implications of this new vector, what the consequences could be and how it might create a more hostile environment for Internet users.
The team at Ikaroa discovered that the new vector not only amplifies the attack power but also makes it much harder for the target of the attack to detect and identify it. This could lead to a new wave of highly destructive attacks with potentially catastrophic consequences. The team also wrote a research paper outlining the various vulnerabilities associated with the vector and proposed some countermeasures.
The research makes it abundantly clear that a new wave of sophisticated DDoS attacks is imminent and the threat landscape around the Internet could become a lot more dangerous if appropriate security tools are not in place.
At Ikaroa, we strongly recommend that companies and organizations take appropriate precautions and upgrade their security systems with additional protections. We also advise our customers to consult experienced cybersecurity experts to design and implement more effective security strategies and countermeasures that are suitable for their specific needs.
