The Simple Service Discovery Protocol (SSDP) is a network protocol for advertisement and discovery of network services and presence information. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP). SSDP uses port 1900/udp.

Problem

Openly accessible SSDP servers can be abused for DDoS reflection attacks against third parties.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if an SSDP server is openly accessible from the Internet, run 'tcpdump' in a first terminal:

# tcpdump -n -A host 192.168.45.67

Then, in a second terminal, use the Bash shell to send an SSDP request:

$ perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\n

ST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"'

> /dev/udp/192.168.45.67/1900

If the SSDP server is openly accessible from the Internet, you will see a response like this in the first terminal:

HTTP/1.1 200 OK

Location: http://192.168.45.67:32469/DeviceDescription.xml

Cache-Control: max-age=1800

Server: UPnP/1.0 DLNADOC/1.50 Platinum/1.0.4.11

EXT: 

USN: uuid:abcdb3c3-eada-b308-2e21-6edbab9cf4ed::upnp:rootdevice

ST: upnp:rootdevice

Date: Fri, 01 Apr 2016 11:15:08 GMT

Solution

If the SSDP server is not required, disable or deinstall it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 1900/udp on the firewall.

Further information

• Wikipedia: Simple Service Discovery Protocol
• Sucuri: Quick Analysis of a DDoS Attack Using SSDP