What is it?
Simple Service Discovery Protocol (SSDP) is used to discover what devices (and their capabilities) are available in a local area network. It is the basis of Universal Plug and Play (UPnP) devices like printers and scanners but it also helps locate network resources. SSDP uses port 1900.
Attackers can exploit SSDP for a Denial of Service (DoS) attack, where an attacker tries to overwhelm a victim’s server by flooding it with requests. In a Distributed Denial of Service (DDoS) attack, the attacker uses an army of unwitting third party servers to all attack the victim at the same time.
Why is it a risk?
Certain SSDP devices have a UPnP bug that allows an attacker to send an SSDP command of the form “Send a report to xxxxx.” An attack can be mounted against a victim by sending requests to MANY SSDP servers, forming a “bot-net,” replacing xxxxx with the victim’s network address. The resulting flood of reports can overload the victim’s computer. This type of attack is called a Distributed Denial Of Service (DDoS) attack. A DDoS attack is especially effective if the size of the report generated is bigger than the size of the command that produces the report.
The Cloudflare link below explains, in detail, how easy it is to mount a DDoS attack using SSDP; so easy that they nick-named it the “Stupidly Simple DDos Protocol.”
How can you mitigate the risk?
There are very few use-cases where UPnP requests should be coming from the Internet into your local area network, so the fix for SSDP vulnerabilities is straight-forward: write firewall rules that disallow inbound UDP traffic on port 1900.
Resources:
Cloudflare Stupidly Simple DDos Protocol
https://blog.cloudflare.com/ssdp-100gbps/
