DESCRIPTION LAST UPDATED: 2024-01-02
DEFAULT SEVERITY LEVEL: HIGH
This report identifies hosts that have the Simple Service Discovery Protocol (SSDP) running and accessible on the Internet.
These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.
The data also contains Plex Media SSDP results (see DDoSers are abusing the Plex Media Server to make attacks more potent
You can learn more on the report in our Open SSDP Report tutorial.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
Severity levels are described here.
For more information on our scanning efforts, check out our Internet scanning summary page..
Local Manual Testing
If you would like to test your own device to see if it has SSDP (UPnP) enabled, you can do the following. In one window, start tcpdump with the command:
tcpdump -n host [IP]
and then in a second window, enter:
perl -e ‘print “M-SEARCH * HTTP/1.1\r\nHost:184.108.40.206:1900\r\nST:upnp:rootdevice\r\nMan:\”ssdp:discover\”\r\nMX:3\r\n\r\n”‘ > /dev/udp/[IP]/1900
If your device has SSDP enabled, you should see a fair amount of traffic on the tcpdump window.