Open SSDP Report

LAST UPDATED: 2023-02-21

This report identifies hosts that have the Simple Service Discovery Protocol (SSDP) running and accessible on the Internet.

These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.

For more details behind the scan methodology and a daily update of global SSDP scan statistics please visit our dedicated SSDP scan page.

You can learn more on the report in our Open SSDP Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

For more information on our scanning efforts, check out our Internet scanning summary page.

Local Manual Testing

If you would like to test your own device to see if it has SSDP (UPnP) enabled, you can do the following. In one window, start tcpdump with the command:

tcpdump -n host [IP]

and then in a second window, enter:

perl -e ‘print “M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\”ssdp:discover\”\r\nMX:3\r\n\r\n”‘ > /dev/udp/[IP]/1900

If your device has SSDP enabled, you should see a fair amount of traffic on the tcpdump window.

Report Details

Filename(s): scan_ssdp

Fields

timestamp

Time that the IP was probed in UTC+0
ip

The IP address of the device in question
protocol

Protocol that the DNS response came on (usually UDP)
port

Port that the SSDP response came from
hostname

Reverse DNS name of the device in question
tag

Will always be SSDP
header

The initial HTTPU (HTTP over UDP) header that was received
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
systime

GMT timestamp when the response was created
cache_control

Cache-control — how long to wait for more communication
location

URL of where the XML service description is located
server

Server information of a Host that supports UDAP
search_target

Search Target (ST) value
unique_service_name

USN field contains compilation of uuid:uuid_of_Host_device::ST_of_response
amplification

Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
response_size

Response size in bytes

Sample

"timestamp","ip","protocol","port","hostname","tag","header","asn","geo","region","city","systime","cache_control","location","server","search_target","unique_service_name","host","nts","nt","content_type","naics","sic","sector","server_port","instance","version","updated_at","resource_identifier","amplification","response_size"
"2010-02-10 00:00:00",192.168.0.1,udp,60194,node01.example.com,ssdp,"HTTP/1.1 200 OK",64512,ZZ,Region,City,"Sun, 21 Aug 2022 09:51:13 GMT",max-age=100,http://192.168.200.254:49152/description.xml,"Linux/2.6.26, UPnP/1.0, Portable SDK for UPnP devices/1.3.1",upnp:rootdevice,uuid:28802880-2880-1880-a880-001bc502f600::upnp:rootdevice,node01.example.com,,,,0,0,Government,,,,,,3.35,325
"2010-02-10 00:00:01",192.168.0.2,udp,38732,node02.example.com,ssdp,"HTTP/1.1 200 OK",64512,ZZ,Region,City,,"max-age = 1800",http://95.160.216.14:52235/dmr/SamsungMRDesc.xml,"Linux/9.0 UPnP/1.0 PROTOTYPE/1.0",upnp:rootdevice,uuid:f144ca92-6816-94b5-b95f-b58180834044::upnp:rootdevice,node02.example.com,,,,0,0,,,,,,,2.71,263
"2010-02-10 00:00:02",192.168.0.3,udp,57626,node03.example.com,ssdp,"HTTP/1.1 200 OK",64512,ZZ,Region,City,"Sun, 03 Jan 2016 21:37:50 GMT",max-age=1800,http://192.168.1.3:8008/ssdp/device-desc.xml,"Linux/3.10.79, UPnP/1.0, Portable SDK for UPnP devices/1.6.18",upnp:rootdevice,uuid:62fa0fc8-079d-d00f-2e22-59b49fb488f9::upnp:rootdevice,node03.example.com,,,,0,0,Government,,,,,,4.79,465

Our 118 Report Types

« Back to Network Reporting