Port 427: Service Location Protocol — The Network That Describes Itself

The Question That Haunted Every Network Administrator

In the 1990s, before you could use a network printer, you had to know it existed. Before you could connect to a file server, you needed its hostname. Before you could access any service, someone had to tell you where it was, and someone else had to configure your machine to find it.

This was the tyranny of static configuration. Every laptop that moved between conference rooms needed reconfiguration. Every new printer required an email to IT. Every service lived behind a hostname that humans had to memorize, document, and communicate through channels that had nothing to do with the network itself.

The network knew where everything was. The humans did not. And that asymmetry was the problem.

What Port 427 Carries

Port 427 carries the Service Location Protocol (SLP), both UDP and TCP.¹ When a device wants to discover services on the network, or when a service wants to announce its existence, the conversation happens here.

SLP inverts the traditional model of network service discovery. Instead of requiring users to know hostnames, SLP allows them to describe what they want: "I need a color printer that supports duplex printing." The network answers with the addresses of services that match.²

Every SLP-enabled device listens on port 427. Service Agents announce what they offer. User Agents ask for what they need. And in larger networks, Directory Agents collect and cache all these announcements, becoming the network's memory of itself.

How the Protocol Works

SLP operates through three types of agents that form a hierarchy of discovery:

User Agents (UAs) represent applications seeking services. When a word processor needs to find a printer, the User Agent constructs a query describing the desired service type and attributes, then sends it out through port 427.³

Service Agents (SAs) represent the services themselves. A network printer runs a Service Agent that announces: "I am here, I am a printer, I support PostScript, I have a color capability, I am in Building 3."⁴

Directory Agents (DAs) are the optional but critical optimization. In small networks, User Agents can multicast their queries to all Service Agents. But in large enterprise networks, this creates too much traffic. Directory Agents solve this by collecting all service registrations into a central cache. User Agents query the Directory Agent instead of broadcasting to the entire network.⁵

The protocol uses multicast address 239.255.255.253 for discovery. When a device boots, it sends a multicast looking for Directory Agents. If one answers, all subsequent communication happens via unicast. If not, the device assumes it is in a small network and continues using multicast for service queries.⁶

Services register with attributes described using a template language. A printer might register as:

service:printer://192.168.1.50
(location=Building 3, Floor 2)
(color=true)
(duplex=true)
(resolution=1200)

User Agents can then query using LDAP-style filters: "Find me a service of type printer where color=true and location contains 'Building 3'."⁷

The Sun Microsystems Engineers Who Built It

RFC 2165, the first SLP specification, was published in June 1997. The authors were John Veizades from @Home Network, and Erik Guttman, Charles Perkins, and Scott Kaplan from Sun Microsystems.⁸

Two years later, RFC 2608 defined SLP version 2, addressing limitations in the original specification. The authors were Erik Guttman and Charles Perkins from Sun Microsystems, John Veizades from @Home Network, and Michael Day from Vinca Corporation.⁹

The problem they were solving was explicit in the RFC: "Traditionally, users find services by using the name of a network host (a human readable text string) which is an alias for a network address. The Service Location Protocol eliminates the need for a user to know the name of a network host supporting a service."¹⁰

This was the era of mobile computing's first wave. Laptops were becoming common in enterprises. Workers moved between offices, conference rooms, and buildings. The old model, where a machine was configured once and never moved, was dying. Sun's engineers were building the protocol for a world where computers wandered.

The Printers That Found Themselves

SLP found its primary home in enterprise printers. HP, Canon, Xerox, and others embedded SLP support into their network-enabled printers, allowing them to announce themselves the moment they connected to the network.¹¹

For the first time, you could plug a printer into an Ethernet port and have it appear automatically in users' print dialogs. The printer would register itself with the Directory Agent, describing its capabilities. Applications would query for printers, receive the list, and present it to users. No configuration files. No IT tickets. No memorizing hostnames.

CUPS, the Common Unix Printing System that became the default on Linux and macOS, used SLP for printer discovery. When Michael Sweet started developing CUPS in 1997, the same year SLP was standardized, he built discovery into the architecture from the start.¹²

The Protocol Apple Abandoned

Apple's Classic Mac OS and Mac OS X 10.1 used SLP to locate file shares and other services.¹³ For early Mac OS X users, SLP was invisible infrastructure, quietly helping the Finder locate servers on the network.

But Apple was working on something else. Stuart Cheshire, who had joined Apple after proposing adaptations of AppleTalk's Name Binding Protocol to IP, was developing what would become mDNS and DNS-SD.¹⁴

In August 2002, Apple released Mac OS X 10.2 Jaguar with a new technology called Rendezvous (later renamed Bonjour after a trademark dispute with TIBCO). It replaced SLP as Apple's preferred service discovery protocol.¹⁵

The difference was philosophical. SLP was designed for enterprises, with its Directory Agents and scopes and administrative controls. mDNS was designed for simplicity, for small networks where devices could talk directly to each other without any central coordination. Apple chose the simpler path.

SLP continued to be supported on macOS for years, but it was no longer the future. The protocol designed for wandering laptops in enterprise networks had been superseded by a protocol designed for living rooms.

The Security Story That Changed Everything

SLP was designed for trusted networks. The RFC explicitly states that the protocol is intended for local area networks, not for exposure to the Internet.¹⁶ There is no authentication mechanism in the base protocol. Any device on the network can register any service. Any device can query for any service.

This was acceptable in 1997, when enterprise networks were islands separated from the hostile Internet by firewalls. But the boundary between internal and external networks eroded over the years. VPNs, cloud services, and misconfigurations exposed internal protocols to the world.

CVE-2023-29552: The Amplification Attack

In April 2023, researchers from Bitsight and Curesec disclosed CVE-2023-29552, a vulnerability in the SLP protocol itself.¹⁷ The attack works like this:

1. An attacker finds an SLP server exposed on UDP port 427
2. The attacker registers services with that server, filling it with entries
3. The attacker sends spoofed requests to the server with the victim's IP address as the source
4. The server sends its large responses to the victim

The amplification factor can reach 2,200x. A small request triggers a massive response directed at someone else. This is the anatomy of a reflection DDoS attack, and SLP's design makes it particularly effective.¹⁸

Researchers found over 54,000 SLP instances accessible from the Internet across more than 2,000 organizations.¹⁹ Most were VMware ESXi servers, network printers, and other embedded systems that had never been designed to face the open Internet.

The ESXiArgs Catastrophe

But the amplification attack was not the worst thing to happen on port 427.

On February 3, 2023, a ransomware campaign began targeting VMware ESXi servers. The attack exploited CVE-2021-21974, a heap overflow vulnerability in OpenSLP, the open-source SLP implementation used by VMware.²⁰

The vulnerability had been patched two years earlier. But thousands of ESXi servers remained unpatched, their port 427 exposed to the Internet.

Within days, the ESXiArgs ransomware had encrypted over 8,000 servers worldwide.²¹ The attack specifically targeted virtual machine files: .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem. Each encrypted server represented not one machine but potentially dozens of virtual machines, multiplying the impact.

The ransomware encrypted the files and left a note demanding Bitcoin payment. CISA released a recovery script, but for many organizations, the damage was done.²²

A protocol designed to help you find your printer had become the entry point for one of the largest ransomware campaigns in history.

Port 427 Today

VMware has disabled OpenSLP by default in ESXi versions 7.0 U2c and 8.0 GA and newer.²³ The Shadowserver Foundation tracks exposed SLP services, and security teams worldwide have been blocking port 427 at network boundaries.

SLP still runs in enterprise printers, in legacy systems, in corners of networks that have not been updated in years. But its exposure to the Internet has been dramatically reduced. The protocol that was meant to make networks self-describing is being silenced, port by port.

mDNS on port 5353 has largely taken over the role SLP was designed to fill. Bonjour, Avahi, and other Zeroconf implementations provide service discovery without the enterprise overhead, without the Directory Agents, without the scopes. The vision of self-configuring networks survived. The specific protocol did not.

Related Ports

A Protocol That Trusted Too Much

Port 427 carries a protocol born from a genuine insight: networks should be able to describe themselves. The engineers at Sun Microsystems understood that static configuration was a barrier to mobile computing, that humans should not have to memorize hostnames, that services should announce their own existence.

They built a protocol for trusted networks. And for years, it worked. Printers appeared in dialogs without configuration. Services registered themselves with Directory Agents. The network learned what it contained.

But trusted networks became rare. The boundary between inside and outside dissolved. A protocol with no authentication, designed for the helpful act of service announcement, became a protocol that helped attackers find their targets.

The 8,000 servers encrypted by ESXiArgs ransomware in February 2023 were running a service designed to make their networks easier to use. The protocol that answered "what services exist here?" also answered "what can I attack?"

This is the lesson of port 427: helpfulness without authentication is vulnerability. A network that describes itself to friends describes itself to enemies. The dream of self-configuring networks was real, but it required assumptions about trust that the modern Internet cannot support.

The protocol still runs in corners of enterprise networks, in printers and legacy systems. But its time has passed. The networks of the future will still describe themselves, but through protocols that learned the hard lesson SLP taught: on the open Internet, every announcement is also an advertisement.