Internet Storm Center

Handler on Duty: Didier Stevens

Threat Level: green

Loading...

[get complete service list]

Port Information
Protocol	Service	Name
tcp	ssdp	SSDP
udp	ssdp	SSDP

Top IPs Scanning
Today	Yesterday
95.214.27.39 (122)	37.44.238.89 (391)
95.214.27.38 (107)	104.167.223.138 (352)
52.73.169.169 (105)	95.214.27.39 (339)
143.42.173.60 (44)	45.56.103.253 (337)
3.144.120.14 (42)	185.242.226.31 (335)
45.221.97.77 (37)	95.214.27.38 (325)
3.141.153.201 (28)	87.120.114.52 (313)
71.6.232.26 (27)	103.147.45.2 (305)
139.144.239.185 (24)	185.94.111.1 (303)
3.17.206.73 (21)	146.88.241.184 (108)

Port diary mentions
URL
Friday Security Notes
Exposed UPNP Devices
Even in the Quietest Moments ...
UDP port 1900 DDoS traffic

User Comments
Submitted By	Date
Comment
	2015-05-24 00:28:28
Observing multiple UPnP SSDP scans on port 1900. Originating from multiple sources and hitting all external IPs.
Peter Gervai	2014-08-22 03:02:22
Observing DDoS based on udp/1900 right now, avg pkt size around 300 bytes per zombie.
	2013-01-31 13:51:48
Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp Vulnerability Note VU#922681 http://www.kb.cert.org/vuls/id/922681
Thiago P. Macedo	2006-12-31 08:09:33
SSDP Discovery Service SSDP Discovery Service implements Simple Service Discovery Protocol (SSDP) as a Windows service. SSDP Discovery Service manages receipt of device presence announcements, updates its cache, and passes these notifications along to clients with outstanding search requests. SSDP Discovery Service also accepts registration of event callbacks from clients, turns these into subscription requests, and monitors for event notifications. It then passes these requests along to the registered callbacks. This system service also provides hosted devices with periodic announcements. Currently, the SSDP event notification service uses TCP port 5000. Starting with the next Windows XP service pack, it will rely on TCP port 2869. Note At the time of this writing, the current Windows XP service pack level is Windows XP Service Pack 1 (SP1). System service name: SSDPRSR Application protocol Protocol Ports SSDP UDP 1900 SSDP event notification TCP 2869 SSDP legacy event notification TCP 5000 (See http://support.microsoft.com/Default.aspx?kbid=832017 for more details).
Johannes Ullrich	2003-02-25 19:02:42
This port is used by 'Universal Plug and Play' (UPNP). By default, Windows XP has this function enabled. Some more recent routers use it as well. UPNP is designed to allow network devices to configure themself automatically.

CVE Links
CVE #	Description
CVE-2015-6031