What Is SSDP and Why Is It a Security Problem?
Table of Contents
What SSDP Does
Simple Service Discovery Protocol (SSDP) is the discovery mechanism for Universal Plug and Play (UPnP). It allows devices on a network to announce their presence and discover other devices without any manual configuration. When your smart TV appears in your media player's device list, or your router shows up in Windows Network, SSDP is usually responsible.
SSDP operates over UDP on port 1900. It uses multicast to reach all devices on the local network simultaneously. The protocol was designed for home and small office networks where ease of use matters more than security.
That design choice - prioritizing convenience over security - created one of the most abused protocols on the internet.
How the Protocol Works
SSDP has two main operations: discovery (M-SEARCH) and advertisement (NOTIFY).
M-SEARCH is a search request. A device looking for services sends an M-SEARCH request to the multicast address 239.255.255.250 on port 1900. The request specifies what type of service the device is looking for (or uses "ssdp:all" to discover everything). Every UPnP device that matches responds with its details.
NOTIFY is an advertisement. When a UPnP device starts up, it sends NOTIFY messages to the multicast address announcing its presence, the services it offers, and a URL where its detailed description can be fetched (the device description XML).
graph TD
subgraph "SSDP Discovery Flow"
CLIENT[Client sends M-SEARCH] -->|Multicast to 239.255.255.250:1900| NET[Local Network]
R1[Router responds with location URL] --> CLIENT
TV1[Smart TV responds] --> CLIENT
CAM[IP Camera responds] --> CLIENT
NAS[NAS responds] --> CLIENT
CLIENT -->|Fetches XML description| R1
R1 -->|Returns device capabilities| CLIENT
end
subgraph "SSDP Advertisement"
NEW[New device joins network] -->|NOTIFY to multicast| NET2[All devices on LAN]
NET2 --> CACHE1[Devices cache the announcement]
end
SSDP uses multicast for both discovery queries and device advertisements
The device description XML, fetched over HTTP from the URL provided in the SSDP response, contains detailed information about the device: manufacturer, model, serial number, firmware version, and a list of all services the device supports. This is a goldmine of information for anyone on the network.
SSDP and UPnP
SSDP is just the discovery layer of UPnP. The full UPnP stack includes device description (XML), service control (SOAP), and event notification. SSDP finds devices. The rest of UPnP interacts with them.
When a UPnP control point (like a media player) discovers a device via SSDP, it fetches the device's XML description, discovers available services, and can then invoke actions on those services using SOAP (Simple Object Access Protocol) over HTTP.
This means SSDP is the entry point to the entire UPnP ecosystem. If SSDP is accessible, the full UPnP control surface is typically accessible too.
The Amplification Problem
SSDP has a severe amplification problem. An M-SEARCH request is small - roughly 100 bytes. But the response can be much larger, often 3,000 to 4,000 bytes or more when a device lists multiple services. Some devices respond with multiple packets.
The amplification factor - the ratio of response size to request size - can reach 30x or higher. Send 100 bytes, receive 3,000 bytes in response. This makes SSDP attractive for reflection and amplification DDoS attacks.
graph TD
subgraph "SSDP Amplification Attack"
ATK[Attacker] -->|Spoofed M-SEARCH with victim IP as source| D1[Exposed Device 1]
ATK -->|Spoofed M-SEARCH| D2[Exposed Device 2]
ATK -->|Spoofed M-SEARCH| D3[Exposed Device 3]
ATK -->|100 bytes each| D4[Thousands of devices]
D1 -->|3000+ bytes response| VICTIM[Victim Server]
D2 -->|3000+ bytes response| VICTIM
D3 -->|3000+ bytes response| VICTIM
D4 -->|3000+ bytes response| VICTIM
VICTIM -->|Overwhelmed by traffic| DOWN[Service unavailable]
end
Attackers send small spoofed requests to thousands of SSDP devices - the amplified responses flood the victim
The attack works because SSDP responses go to the source IP address of the request. Since UDP does not have a handshake (unlike TCP), the source IP can be spoofed. The attacker sends M-SEARCH requests to thousands of SSDP-enabled devices with the victim's IP address as the source. All the responses flood the victim.
SSDP DDoS Attacks
SSDP amplification attacks have been responsible for some of the largest DDoS attacks recorded. In 2014, SSDP became one of the top three amplification vectors, alongside DNS and NTP amplification.
The attacks are effective because millions of devices respond to SSDP queries from the internet. Home routers, IP cameras, printers, NAS devices, and IoT gadgets ship with UPnP enabled by default and with SSDP listening on all interfaces - including the WAN interface facing the internet.
A single attacker with modest bandwidth can generate enormous attack traffic by leveraging thousands of these unwitting amplifiers. The devices are not compromised - they are simply responding to what appears to be a legitimate discovery request.
Millions Exposed on Shodan
Shodan, the search engine for internet-connected devices, consistently finds millions of devices responding to SSDP on the public internet. These devices expose their UPnP device descriptions, revealing manufacturer, model, firmware version, and available services to anyone who asks.
This information is valuable for attackers. Knowing the exact firmware version of a router allows them to check for known vulnerabilities. Knowing the available UPnP services tells them what control actions they might be able to invoke remotely.
The exposed devices span every category: home routers from every major manufacturer, IP cameras, NAS devices, media servers, and countless IoT devices. Most of their owners have no idea their devices are responding to queries from the entire internet.
Mitigation
The most important mitigation is blocking UDP port 1900 on the WAN interface of your router. SSDP is a local network protocol - it has no legitimate use on the internet. No device should respond to SSDP queries from the public internet.
If your router supports it, disable UPnP entirely. This stops SSDP advertisements and responses, and also prevents the more dangerous UPnP port forwarding functionality (which is a separate security concern).
For network administrators, firewall rules should block SSDP multicast traffic between network segments. IoT devices on a guest VLAN should not be able to discover (or be discovered by) devices on the corporate network.
On individual devices, disable UPnP/SSDP if the device does not need to be discoverable. Most servers, workstations, and network infrastructure devices have no need for UPnP discovery.
Detecting SSDP on Your Network
To check if your network has SSDP-enabled devices, you can send an M-SEARCH query to the multicast address and observe the responses. Tools like gssdp-discover (Linux) or UPnP scanning features in network security scanners will enumerate all SSDP-responding devices on your LAN.
From the internet side, you can check if your router responds to SSDP by using Shodan or similar services to scan your public IP address on UDP port 1900. If it responds, your router is contributing to the SSDP amplification problem.
Understanding discovery protocols like SSDP helps you audit what your network is broadcasting. The BLEShark Nano helps you identify wireless devices on your network, giving you the starting point to investigate what protocols each device is using and whether they need to be locked down.
Get the BLEShark Nano - $36.99+