Netography Releases Detection for Actively Exploited DoS Amplification CVE-2023-29552
Jeff Nathan, Director of Detection Engineering
In April of 2023, researchers from Bitsight and Curesec collaborated in the discovery of a vulnerability in the Service Location Protocol (SLP) addressed by CVE-2023-29552. On November 9, The U.S. Cybersecurity and Infrastructure Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
To respond to this threat, Netography has released a new Netography Detection Model (NDM), called “slpreflection”, which will detect floods of traffic originating from the SLP port (427).
Attackers are leveraging the vulnerability in an amplification attack where low volumes of DoS traffic are amplified to make the attack more severe. Attackers can create a significant amplification effect by targeting the SLP protocol because small requests spoofed from the IP address of a victim network can generate responses over 2200 times larger. Researchers have located tens of thousands of vulnerable SLP servers on the Internet, creating a rich environment for exploitation of this technique.
This particular attack, a DoS amplification, manifests itself very clearly in flow. Our Network Defense Platform (NDP), Netography Fusion, was very well poised to detect this because of our flow DNA and how the platform can ingest NetFlow, sFlow, and IPFIX from anywhere in our customers’ tech stack to determine if they are at risk.
For greater response effectiveness, multiple teams can then utilize a single NDM to launch diverse response workflows, ensuring all teams have access to the same critical alerts.
Organizations are also advised to disable SLP on any internet-facing systems on their networks and block traffic sourced either to or from UDP port 427 at their network perimeter in order to mitigate this threat. They should also verify that they are running the latest version of products that use Service Location Protocol, such as VMWare ESXi.
More information on how our detections work can be found on our site, or schedule time with us to learn more.