What Is the Simple Service Discovery Protocol (SSDP)?

The Simple Service Discovery Protocol (SSDP) is a network protocol that is used to search for and recognize UPnP (Universal Plug and Play) devices in the network and is primarily used in home or office environments. Typical UPnP devices include printers, routers or multimedia and smart home systems. Cyber criminals can abuse SSDP to launch DDoS (Distributed Denial of Service) attacks via the protocol.

Combat SSDP risks with Myra

SSDP: A Definition

SSDP is a text-based protocol that is based on HTTPU and uses UDP as the underlying transport protocol. The protocol was introduced in 1999 by Microsoft and Hewlett-Packard. It enables devices to make their services discoverable on the network and to discover other compatible devices without the need for server-based configuration.

What are the key features of SSDP?

Uses UDP port 1900 for communication
Uses multicast addresses (IPv4: 239.255.255.250, IPv6: ff0x::c)
Based on HTTP-like methods such as NOTIFY and M-SEARCH
Enables automatic detection of UPnP devices in the network

What Are the Dangers and Risks of SSDP?

Despite its usefulness, SSDP also presents security risks: SSDP can be exploited for DDoS amplification attacks. Attackers send manipulated SSDP requests to several vulnerable devices (hosts), which then react with significantly larger responses and thus overload the target system via a spoofed IP address. This increases the request volume many times over.

According to the US cyber security authority CISA, attacks using SSDP can be amplified by a factor of 30. For the affected targets, the origin of the attack cannot be traced in the event of an acute attack, as the traffic originates from conventional hosts.

Myra's Security-as-a-Service solutions reliably protect your systems against cyber threats such as SSDP floods. Defend your critical IT infrastructure proactively, sustainably and in compliance.

Request a free demo now

How to Secure SSDP?

To minimize the risks associated with SSDP, the following security measures are recommended:

Access control

Restricting access of devices with SSDP enabled to trusted and internal networks

Network segmentation

Strict isolation of devices with activated SSDP from critical systems and resources

Vulnerability management

Regular updating of firmware and programs on devices to eliminate known vulnerabilities

Traffic monitoring

Use of network monitoring tools to detect and analyze unusual SSDP traffic patterns

SSDP disabling

Deactivation of SSDP on devices when it is not required

IPv4 Access Control Lists (ACLs)

Implementation of ACLs on layer 3 interfaces to limit SSDP traffic

How to Defend Against SSDP Flood Attacks?

Firewall configuration: Block incoming and outgoing UDP traffic on port 1900 in the firewall.
Use of dedicated DDoS protection solutions for IT infrastructures: If the incoming requests from an attack threaten to overload the network capacities as a whole, dedicated protection services can filter harmful requests before they reach the IT infrastructure.

SSDP: What You Need to Know

The Simple Service Discovery Protocol (SSDP) is a useful protocol for the automatic discovery of network services, especially in home networks and small office environments. However, it also poses significant security risks, especially in terms of DDoS amplification attacks.

To minimize these risks, it is important to carefully monitor and control SSDP traffic. Network administrators should implement the recommended security measures to protect their networks from potential SSDP-based attacks. At the same time, end users should take care to enable SSDP only when needed and disable it on their devices when it is not required.

Would you like to find out more about our solutions, application examples and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.

Go to downloads

Responsible Disclosure Legal notice Privacy policy Privacy Settings Terms and Conditions