|Friday Security Notes
|Exposed UPNP Devices
|Even in the Quietest Moments ...
|UDP port 1900 DDoS traffic
|Observing multiple UPnP SSDP scans on port 1900. Originating from multiple sources and hitting all external IPs.
|Observing DDoS based on udp/1900 right now, avg pkt size around 300 bytes per zombie.
|Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp Vulnerability Note VU#922681 http://www.kb.cert.org/vuls/id/922681
|Thiago P. Macedo
|SSDP Discovery Service SSDP Discovery Service implements Simple Service Discovery Protocol (SSDP) as a Windows service. SSDP Discovery Service manages receipt of device presence announcements, updates its cache, and passes these notifications along to clients with outstanding search requests. SSDP Discovery Service also accepts registration of event callbacks from clients, turns these into subscription requests, and monitors for event notifications. It then passes these requests along to the registered callbacks. This system service also provides hosted devices with periodic announcements. Currently, the SSDP event notification service uses TCP port 5000. Starting with the next Windows XP service pack, it will rely on TCP port 2869. Note At the time of this writing, the current Windows XP service pack level is Windows XP Service Pack 1 (SP1). System service name: SSDPRSR Application protocol Protocol Ports SSDP UDP 1900 SSDP event notification TCP 2869 SSDP legacy event notification TCP 5000 (See http://support.microsoft.com/Default.aspx?kbid=832017 for more details).
|This port is used by 'Universal Plug and Play' (UPNP). By default, Windows XP has this function enabled. Some more recent routers use it as well. UPNP is designed to allow network devices to configure themself automatically.