Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
SSDP attacks are defined as Simple Service Discovery Protocol attacks. UPnP (Universal Plug and Play) devices are used to send excessive traffic to a targeted victim. It is a reflection-based DDoS attack type that exploits network protocols. The aim of this type of attack is to take the target’s infrastructure and web resources offline.
SSDP (Simple Service Discovery Protocol) is a network protocol that allows devices to discover each other on a local network without requiring manual configuration or a central DNS server. It is a component of the UPnP framework and is used by devices such as smart TVs, routers, printers, media players, and other IoT devices to advertise their services and find other devices on the network. SSDP uses UDP and operates on port 1900.
While SSDP is designed for local network use, many internet-facing devices have UPnP enabled and exposed to the public internet, either by design or through misconfiguration. These publicly accessible SSDP-enabled devices can be weaponised by attackers to carry out amplification DDoS attacks.
SSDP DDoS attacks are carried out in a similar way to other reflection-based amplification attacks. The attacker begins by scanning the internet to identify publicly accessible IP addresses of UPnP devices that are running SSDP. The attacker then sends SSDP search requests (M-SEARCH requests) to these devices, spoofing the source IP address in each packet to match the IP address of the intended victim.
Each SSDP device responds to the search request by sending its UPnP service descriptions to the spoofed source address — which is the victim’s IP. The response from a UPnP device is typically much larger than the original request, providing an amplification factor. When large numbers of SSDP devices are used simultaneously, the accumulated response traffic directed at the victim can be massive, overwhelming the victim’s network infrastructure and causing a denial of service.
The amplification factor for SSDP attacks can be significant — responses can be 30 to 50 times larger than the original requests, meaning a relatively modest volume of spoofed requests can generate a very large volume of attack traffic directed at the target.
The most effective way to reduce the risk of SSDP-based attacks is to ensure that UPnP and SSDP are not exposed to the public internet. Network administrators should audit their devices and firewalls to block UDP port 1900 from external access. ISPs can also help by implementing ingress filtering to block packets with spoofed source addresses leaving their networks. For organisations being targeted, upstream DDoS mitigation services can scrub SSDP attack traffic before it reaches the victim’s network infrastructure.
You May Be Interested In These
