Doing some protocol analysis for a security test and noticed a lot of SSDP traffic in Wireshark. Wondering what it was and the security implications so did some research.
This protocol is used for UPnP (universal plug n play) which allows you to easily connect devices on your network. In theory. It is an HTTP like protocol which works with NOTIFY and M-SEARCH methods and has destination multicast IP address 239.255.255.250.
It may be a good thing - helping you connect to your printer, TV, etc.
Unfortunately it also has a long history of security flaws and can be used to carry out DoS attacks. Some research below.
What it is:
http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol
Disable in Windows 7
http://en.kioskea.net/faq/20880-windows-7-disable-the-ssdp-discovery-service
US-CERT, National Vulnerability Database and Cisco report in January 2014 UDP-based amplification attacks may use SSDP as one of the protocols that facilitates Distributed Reflective Denial of Service (DRDoS) attacks:
http://www.us-cert.gov/ncas/alerts/TA14-017A
http://tools.cisco.com/security/center/viewAlert.x?alertId=28002
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5963
Denial of Service attack noted by FortiGuard:
http://www.fortiguard.com/encyclopedia/vulnerability/#id=38022
In a recent May 2014 post, CSO Online recommends disabling UPnP on home routers as part of secure configuration:
http://www.csoonline.com/article/2155342/data-protection/home-routers-broken-windows-to-the-world.html
Whitepaper from January 2013 discussing UPnP security flaws:
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
Another article on exposed devices from February 2014:
http://www.klocwork.com/blog/embedded-software/universal-plug-and-play-vulnerabilities-leave-millions-of-devices-exposed/
ThreatPost found 50 million potentially vulnerable machines responding to UPnP, exposing SOAP API that can allow access behind firewalls:
http://threatpost.com/50-million-potentially-vulnerable-upnp-flaws-012913/77465
A SANS report in 2002 discusses some UPnP flaws when it was released by Microsoft:
http://www.sans.org/security-resources/malwarefaq/win_upnp.php
Not completely disabled due to Windows Messenger Issue:
http://support.microsoft.com/kb/317843
Code - connecting to devices using SSPD
http://lewisbenge.azurewebsites.net/2012/11/13/device-discovery-ssdp-in-windows-8-and-winrt/