SLP: a new DDoS amplification vector in the wild

Researchers Pedro Umbelino and Marco Lux have discovered a new DDoS reflection/amplification attack vector, CVE-2023-29552, exploiting the Service Location Protocol (SLP). The protocol was designed for service discovery in local area networks but has no authentication method and is not meant to be exposed to the public internet. Despite its obsolescence, many commercial products still support SLP, with 35,000 Internet endpoints having their devices' SLP service exposed. UDP version of this protocol has an amplification factor of up to 2,200x. Cloudflare customers are already protected from these attacks through the company's automated DDoS protection system. Network operators should block UDP port 427 or use Cloudflare Magic Firewall rules to prevent exploitation and launching of such attacks.