UPnP.SSDP.M.Search.Anomaly
Description
This indicates detection of an attempt scan using UPnP SSDP M-Search packets.
Simple Service Discovery Protocol (SSDP) is a network protocol for advertisement and discovery of network services information. SSDP is the basis of the discovery protocol, Universal Plug and Play (UPnP). SSDP uses HTTP over UDP to announce the establishment or withdrawal of services information to the multicast group. A client, that wishes to discover available services on a network, uses the method M-SEARCH.
Normal M-Search packets should go to multicast address 239.255.255.250, but the attempted scan targeted an IP that's not the multicast address, indicating that it's likely to be malicious. It could be from a scanner or from DDoS.
Affected Products
All network devices that support UPnP
Impact
Information Disclosure: Remote attackers can gain sensitive information from vulnerable systems.
Recommended Actions
Monitor the traffic from the network for any suspicious activity.
Telemetry
Coverage
IPS (Regular DB) | |
IPS (Extended DB) |