New SLP DDoS amplification can overload your network

(Last Updated On: April 25, 2023)

Happy Tuesday – It is the RSA conference week. That means we get vendors disclosing vulnerabilities while people are at the conference.

Bitsight and Curesec uncovered a Service Location Protocol (SLP) DDoS Amplification that can be as high as 2200:1. That means an open SLP port on your network can …

  • Be used to DDoS another network.
  • Overload your network with considerable amplification … creating a DDoS risk on your network.

CISA has posted an advisory here: Abuse of the Service Location Protocol May Lead to DoS Attacks

Applying port filtering on TCP & UDP port 427 ingress and egress into your network is recommended.

You can find out your network has SLP on your network using’s Accessible SLP Service Reports. This is part of Shadowserver’s Daily Network Reports, a free “Cyber-Civil Defense” service.

Shadowserver has a dashboard image to help see the locations of the SLP Risk.

Bitsight’s and Curesec’s advisories are here:

Bitsight: New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP)

Curesec: CVE-2023-29552 Service Location Protocol-Denial of Service Amplification Attack

Your Quick Action Can Safeguard SLP Amplification Risk

This DDoS Amplification vector can be reduced if organizations take quick action, block TCP & UDP port 427 (ingress and egress), and subscribe to the free reporting that will alert you if an exposed SLP is on your network.

ISPs, Mobile Operators, and Carriers consider adding TCP & UDP port 427 (ingress and egress) to your Exploitable Port Filtering. Significant broadband carriers use this approach to protect their network and their customers. If Exploitable Port Filtering Comcast, Charter, Cox, and others for over 15 years, then it will work as a tool to mitigate the SLP risk.

Are you looking for more practical, public-service Security Advice?

The materials and guides posted on here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.