Simple Service Discovery Protocol

The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet Protocol Suite for advertisement and discovery of network services and presence information. It accomplishes this without assistance of server-based configuration mechanisms, such as the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS), and without special static configuration of a network host. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments. It was formally described in an IETF Internet draft by Microsoft and Hewlett-Packard in 1999. Although the IETF proposal has since expired (April, 2000),[1] SSDP was incorporated into the UPnP protocol stack, and a description of the final implementation is included in UPnP standards documents.[2]

Protocol transport and addressing

SSDP is a text-based protocol based on HTTPU. It uses the User Datagram Protocol (UDP) as the underlying transport protocol. Services are announced by the hosting system with multicast addressing to a specifically designated IP multicast address at UDP port number 1900. In IPv4, the multicast address is 239.255.255.250[3] and SSDP over IPv6 uses the address set ff0X::c for all scope ranges indicated by X.[4]

This results in the following well-known practical multicast addresses for SSDP:

Additionally, applications may use the source-specific multicast addresses derived from the local IPv6 routing prefix, with group ID C (decimal 12).

SSDP uses the HTTP method NOTIFY to announce the establishment or withdrawal of services (presence) information to the multicast group. A client that wishes to discover available services on a network, uses method M-SEARCH. Responses to such search requests are sent via unicast addressing to the originating address and port number of the multicast request.

Microsoft's IPv6 SSDP implementations in Windows Media Player and Server use the link-local scope address. Microsoft uses port number 2869 for event notification and event subscriptions. However, early implementations of SSDP also used port 5000 for this service.[5]

DDoS attack

In 2014 it was discovered that SSDP was being used in DDoS attacks known as an SSDP reflection attack with amplification. Many devices, including some residential routers, have a vulnerability in the UPnP software that allows an attacker to get replies from port number 1900 to a destination address of their choice. With a botnet of thousands of devices the attackers can generate sufficient packet rates and occupy bandwidth to saturate links, causing the denial of service.[6] [7]

See also

References

  1. IETF draft revision 3 (outdated and expired)
  2. "UPNP Device Architecture 1.1" (PDF). UPnP Forum. 2008-10-15.
  3. "Internet Multicast Addresses". IANA. 2010-06-22.
  4. "Internet Protocol Version 6 Multicast Addresses". IANA. Retrieved 2010-08-10.
  5. Microsoft Knowledge Base Article 832017
  6. Guide to DDoS Attacks, pg 8
  7. "UDP-Based Amplification Attacks".
This article is issued from Wikipedia - version of the 9/14/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.