SSDP (Simple Service Discovery Protocol)
SSDP (Simple Service Discovery Protocol) is a network protocol used in small networks, including home networks, to advertise and discover network services primarily supported by the Universal Plug-and-Play (UPnP) architecture. SSDP is an HTTPU-based textual protocol that uses XML. It exchanges messages using UDP datagrams.
SSDP is the backbone of the UPnP architecture. It allows you to easily interconnect home devices that work within the same small network or connected to the same Wi-Fi point. Such devices may include, for example, smartphones, printers and MFPs, smart TVs, media consoles, speakers, camcorders, etc. For SSDP to work, these devices must support UPnP.
On devices and PCs that support SSDP, this feature can be enabled, disabled, or paused. When SSDP is enabled, devices communicate information about themselves and the services they provide to any other UPnP client. Using SSDP, computers connected to the network also provide information about available services.
Using SSDP, devices and PCs not only learn about each other, but also get the opportunity to interact in some way: exchange data, launch functions and services on another device, etc.
From the point of view of information security, you need to remember that, firstly, the SSDP protocol itself does not provide encryption (although, of course, it does not prevent devices from exchanging encrypted data), and, secondly, in many devices intended for use in home in a small office environment, SSDP support is enabled by default, posing risks of unauthorized access. Therefore, this feature should be kept disabled: enable it only when you really need it, and make sure that it is disabled on each of the devices that are not currently using it.
You can check if the SSDP discovery service is enabled on your Windows PC using the services.msc command. To make sure that SSDP support is enabled on a particular device, you should carefully study the instructions for it and check the settings.
It should also be remembered that SSDP features are used in the implementation of DDoS attacks such as "SSDP amplification".
These types of network layer (L3) attacks exploit the vulnerabilities of the SSDP protocol, which are embedded in it, probably out of the desire of its developers to simplify the interaction of devices in a small network as much as possible. Unfortunately, this simplicity comes at the expense of security.
In its most general form, the connection of a new device looks like this. To find out which devices are already present on the network, a device added to it with SSDP enabled sends a search request to other devices to the reserved address and port (220.127.116.11:1900), using fan-out or multicasting. In the request, the device specifies a template or target corresponding to its type. In response to the request, each of the devices on the network that support SSDP at the moment sends a UDP message with information about itself to the source IP address and port from which the request was sent.
The trick is that within the SSDP protocol, the location of the message sender is not checked, so devices are ready to respond not only to requests from their neighbors, but also to those requests that were sent from outside the network. A firewall can and should protect against such requests. But, firstly, the network owners do not always install it, and secondly, port 1900 often remains open in the installed firewall. And since the response to an SSDP request can be several times, or even tens of times longer than the request itself, an amplification attack becomes possible: a fake request that arrived from the external network and contains an IP address as a reverse address address of the victim host, can trigger a multiplier response and send it to the victim. And then, as in the classic DDoS scenario: either the communication channel of the victim node will be clogged with garbage, or the node itself will drown, trying to process a powerful stream of SSDP responses.
To minimize SSDP attacks, you need to:
- Block both inbound and outbound UDP port 1900 in the firewall for inbound traffic.
- Use BGP flowspec to restrict incoming traffic from this port and to this port.
- Use UDP-based services with extreme caution, as UDP-based DDoS attacks are more difficult to counter.
- Regularly scan devices connected to the network for the enabled SSDP function and always disable it if it is not required at the moment.