Sunday, May 25, 2014

UPnP - SSDP Protocol

Doing some protocol analysis for a security test and noticed a lot of SSDP traffic in Wireshark. Wondering what it was and the security implications so did some research.

This protocol is used for UPnP (universal plug  n play) which allows you to easily connect devices on your network. In theory. It is an HTTP like protocol which works with NOTIFY and M-SEARCH methods and has destination multicast IP address

It may be a good thing - helping you connect to your printer, TV, etc.

Unfortunately it also has a long history of security flaws and can be used to carry out DoS attacks. Some research below.

What it is:

Disable in Windows 7

US-CERT, National Vulnerability Database and Cisco report in January 2014 UDP-based amplification attacks may use SSDP as one of the protocols that facilitates Distributed Reflective Denial of Service (DRDoS) attacks:

Denial of Service attack noted by FortiGuard:

In a recent May 2014 post, CSO Online recommends disabling UPnP on home routers as part of secure configuration:

Whitepaper from January 2013 discussing UPnP security flaws:

Another article on exposed devices from February 2014:

ThreatPost found 50 million potentially vulnerable machines responding to UPnP, exposing SOAP API that can allow access behind firewalls:

A SANS report in 2002 discusses some UPnP flaws when it was released by Microsoft:

Not completely disabled due to Windows Messenger Issue:

Code - connecting to devices using SSPD