Skip to content
PortsDB

Port reference

Port 427 (UDP/TCP) – SLP

Service Location Protocol — lets devices discover services on a LAN without manual configuration.

udptcpWell-knownCommonly attacked

Default state

Enabled by default on many VMware ESXi builds, printers, and storage/SAN appliances. Should never be reachable from the internet.

Common attacks

  • Massive UDP amplification DDoS (CVE-2023-29552)
  • Service and host enumeration / information disclosure

CVE-2023-29552

Hardening

  • Disable SLP wherever it isn't required (e.g. ESXi slpd)
  • Block UDP/TCP 427 at the internet edge
  • Restrict SLP to trusted management VLANs only
  • Patch appliances that expose SLP per vendor advisories

nmap snippet

nmap -sU -p427 --script slp-discovery <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 427?

Port 427 carries the Service Location Protocol (SLP), defined in RFC 2608. It lets clients discover available network services — printers, storage, virtualization hosts — without static configuration, by querying Directory Agents and Service Agents. SLP ships enabled on many VMware ESXi versions, network printers, and SAN/NAS appliances, where it is meant for LAN use only.

Why it matters for security

SLP exposes a map of services and hosts to anyone who can reach the port, aiding reconnaissance. Far worse, CVE-2023-29552 showed that an unauthenticated attacker can register arbitrary services to inflate response sizes, turning open SLP servers into one of the highest-factor amplification DDoS reflectors known, with amplification well over 2000x. Tens of thousands of internet-exposed instances were found, mostly on appliances administrators forgot were listening.

How it's attacked

Attackers scan UDP 427 for responsive SLP services, then either harvest the advertised service directory for recon or weaponize the host for reflection DDoS. Exploiting CVE-2023-29552, they pad the service table and reflect spoofed queries, delivering enormous traffic to a victim from a trivial request volume.

Hardening checklist

Disable SLP wherever it isn't actively used — on ESXi, stop and disable the slpd service per VMware guidance. Block UDP and TCP 427 at the perimeter and confine SLP to dedicated management VLANs. Apply vendor patches for affected appliances. Use the nmap snippet above to confirm SLP is not reachable on hosts you are authorized to test.

Related ports

Port 53Port 1900Port 5353Port 137

Frequently asked questions

What uses port 427?
Port 427 is the Service Location Protocol (SLP), used for service discovery by VMware ESXi, network printers, and storage appliances. It is rarely needed on the public internet.
How bad is the SLP amplification flaw?
CVE-2023-29552 lets attackers register fake services so a tiny query yields a huge reply, producing amplification factors above 2000x — among the largest ever recorded.