Threat Encyclopedia

UPnP.SSDP.M.Search.Anomaly

description-logoDescription

This indicates detection of an attempt scan using UPnP SSDP M-Search packets.
Simple Service Discovery Protocol (SSDP) is a network protocol for advertisement and discovery of network services information. SSDP is the basis of the discovery protocol, Universal Plug and Play (UPnP). SSDP uses HTTP over UDP to announce the establishment or withdrawal of services information to the multicast group. A client, that wishes to discover available services on a network, uses the method M-SEARCH.
Normal M-Search packets should go to multicast address 239.255.255.250, but the attempted scan targeted an IP that's not the multicast address, indicating that it's likely to be malicious. It could be from a scanner or from DDoS.

affected-products-logoAffected Products

All network devices that support UPnP

Impact

Information Disclosure: Remote attackers can gain sensitive information from vulnerable systems.

recomended-action-logoRecommended Actions

Monitor the traffic from the network for any suspicious activity.