Doing some protocol analysis for a security test and noticed a lot of SSDP traffic in Wireshark. Wondering what it was and the security implications so did some research.
This protocol is used for UPnP (universal plug n play) which allows you to easily connect devices on your network. In theory. It is an HTTP like protocol which works with NOTIFY and M-SEARCH methods and has destination multicast IP address 220.127.116.11.
It may be a good thing - helping you connect to your printer, TV, etc.
Unfortunately it also has a long history of security flaws and can be used to carry out DoS attacks. Some research below.
What it is:
Disable in Windows 7
US-CERT, National Vulnerability Database and Cisco report in January 2014 UDP-based amplification attacks may use SSDP as one of the protocols that facilitates Distributed Reflective Denial of Service (DRDoS) attacks:
Denial of Service attack noted by FortiGuard:
In a recent May 2014 post, CSO Online recommends disabling UPnP on home routers as part of secure configuration:
Whitepaper from January 2013 discussing UPnP security flaws:
Another article on exposed devices from February 2014:
ThreatPost found 50 million potentially vulnerable machines responding to UPnP, exposing SOAP API that can allow access behind firewalls:
A SANS report in 2002 discusses some UPnP flaws when it was released by Microsoft:
Not completely disabled due to Windows Messenger Issue:
Code - connecting to devices using SSPD