|Observing multiple UPnP SSDP scans on port 1900. Originating from multiple sources and hitting all external IPs.
|Observing DDoS based on udp/1900 right now, avg pkt size around 300 bytes per zombie.
|Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
Vulnerability Note VU#922681
|Thiago P. Macedo
|SSDP Discovery Service
SSDP Discovery Service implements Simple Service Discovery Protocol (SSDP) as a Windows service.
SSDP Discovery Service manages receipt of device presence announcements, updates its cache,
and passes these notifications along to clients with outstanding search requests.
SSDP Discovery Service also accepts registration of event callbacks from clients,
turns these into subscription requests, and monitors for event notifications.
It then passes these requests along to the registered callbacks. This system service also
provides hosted devices with periodic announcements. Currently, the SSDP event notification
service uses TCP port 5000. Starting with the next Windows XP service pack,
it will rely on TCP port 2869.
Note At the time of this writing, the current Windows XP service pack level is Windows XP Service Pack 1 (SP1).
System service name: SSDPRSR
Application protocol Protocol Ports
SSDP UDP 1900
SSDP event notification TCP 2869
SSDP legacy event notification TCP 5000
(See http://support.microsoft.com/Default.aspx?kbid=832017 for more details).
|This port is used by 'Universal Plug and Play' (UPNP). By default, Windows XP has this function enabled. Some more recent routers use it as well. UPNP is designed to allow network devices to configure themself automatically.