HIGH: Open SSDP Report



This report identifies hosts that have the Simple Service Discovery Protocol (SSDP) running and accessible on the Internet.

These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.

You can track latest SSDP exposure on our Dashboard.

The data also contains Plex Media SSDP results (see DDoSers are abusing the Plex Media Server to make attacks more potent

You can learn more on the report in our Open SSDP Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Local Manual Testing

If you would like to test your own device to see if it has SSDP (UPnP) enabled, you can do the following. In one window, start tcpdump with the command:

tcpdump -n host [IP]

and then in a second window, enter:

perl -e ‘print “M-SEARCH * HTTP/1.1\r\nHost:\r\nST:upnp:rootdevice\r\nMan:\”ssdp:discover\”\r\nMX:3\r\n\r\n”‘ > /dev/udp/[IP]/1900

If your device has SSDP enabled, you should see a fair amount of traffic on the tcpdump window.

Report Details

Filename(s): scan_ssdp



  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the DNS response came on (usually UDP)
  • port
    Port that the SSDP response came from
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be SSDP
  • header
    The initial HTTPU (HTTP over UDP) header that was received
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • systime
    GMT timestamp when the response was created
  • cache_control
    Cache-control — how long to wait for more communication
  • location
    URL of where the XML service description is located
  • server
    Server information of a Host that supports UDAP
  • search_target
    Search Target (ST) value
  • unique_service_name
    USN field contains compilation of uuid:uuid_of_Host_device::ST_of_response
  • host
    FQDN used to locate a specific plex box
  • nts
    Notification Subtype
  • nt
    Notification Type
  • content_type
    Content type (for example, plex/media-server)
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the IP belongs to
  • server_port
    Port that the server service lives on
  • instance
    Trivial name of the plex instance
  • version
    Version of Plex that is running
  • updated_at
    When the server contents were last updated (in epoch)
  • resource_identifier
    Resource identifier
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • response_size
    Response size in bytes


"2010-02-10 00:00:00",high,,udp,32414,node01.example.com,plex,"HTTP/1.0 200 OK",64512,ZZ,Region,City,,,,7db646d5c79c4a7580f8c921a3bd6269.plex.direct,,,node01.example.com,,,plex/media-server,0,ptr,,32400,PRMMTV_007,,1699219743,888520b1808776266c483727d54254b29fad7ad7,254.00,254
"2010-02-10 00:00:01",high,,udp,32414,node02.example.com,plex,"HTTP/1.0 200 OK",64512,ZZ,Region,City,,,,03a1804b39e0475380a80b60f7347cbc.plex.direct,,,node02.example.com,,,plex/media-server,0,,,32400,SRV_VideoServer,,1698313307,d9fda17b40abc7b4014c4d3f487e818c51de4f40,259.00,259
"2010-02-10 00:00:02",high,,udp,32414,node03.example.com,plex,"HTTP/1.0 200 OK",64512,ZZ,Region,City,,,,b5fdc9ef6b8149df8187d36a9a2d0987.plex.direct,,,node03.example.com,,,plex/media-server,0,,,32400,aurele-plex,,1697914255,b336e4752fbf6e19229b74f502726394071d190c,255.00,255

Our 128 Report Types