Hunting for obscure protocols is a way to proactively find malicious activity. Today, I want to talk about one of those obscure protocols, Service Location Protocol (SLP). While hunting through the billions of logs, we at Security On-Demand process every day, I found considerable activity across a slew of networks where enterprises were communicating with various locations across the globe over port 427. This is the port on which SLP operates. Network traffic leaving your network to the public internet over port 427 should be viewed as highly suspicious and concerning and it warrants mitigation – even if you are unsure if the activity is malicious.
Service Location Protocol is a discovery service that permits other devices to find networked services across a local area network (LAN). It is particularly useful because the devices do not require configuration in order to find the services. Commonly, SLP is often used in Windows for finding network printers – among other less common uses, Mac OS and OSX (to version 10.1) uses it to discover file shares and a variety of network services, and it is also common in various Linux distributions.
The image below is the process used to discover services via SLP
What is the risk of Service Location Protocol?
Because SLP is designed to only be communicating within a local area network, any traffic on port 427 leaving the LAN should be viewed with considerable suspicion. Without packet capture or logs directly from the generating device, it is difficult to tell what information is leaving the network. However, considering the type of info normally produced, SLP could be a useful service for enabling hackers to discover devices on a targeted or compromised network. Such discovery provides useful information to the hackers such as device name, device location, and other vital information that would allow a hacker to identify further exploitation opportunities to pivot through the network.
One would assume that such outbound communication over port 427 would be relatively rare, however, analysis of this activity within our customer environment demonstrated that approximately 35% of our customer base executes at least one outbound communication over this port in any give 24-hour period. To compound the seriousness of this, about 50% of all the outbound traffic we are seeing is flowing directly to IP addresses located in China or Russia. This does not necessarily mean that all these organizations are breached, but it does indicate anomalous activity and data leakage.
If you see such activity on your network, there is no need to panic and it doesn’t warrant an immediate execution of the incident response plan. However, you should take the time to investigate the device from which the traffic is originating and determine the cause and if it is or is not malicious. If it is determined to be malicious, we recommend initiating incident response and taking actions in accordance with your policy to eliminate the threat. If the activity is not deemed malicious, we recommend that you still take steps to stop the activity and prevent future communication out. You should also put blocks on your firewalls to prevent this activity. (A quick note on blocking at the firewall: Even though blocking at the firewall may prevent the communication from reaching an outside destination, there is still something causing the outbound traffic to occur within your network. So it still a good idea to investigate what is causing the activity in the first place.)
There is a lot of unexpected and unusual communications that occur on a network, whether internally or out to the global internet. Nine times out of ten the activity is not going to be malicious. However, as information technology and security professionals, it is our job to be concerned about that 1 time out 10 that it is malicious. Taking some time each month to not only check to see what is happening on port 427, but to also check all uncommon port and protocol activity occurring on your network will result in a safer, more efficient, and more functional network to secure and manage. For our ThreatWatch customers, you can quite simply log in to your portal and create a regularly produced report that can provide you this data.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.