SSDP Problems

Microsoft is interested in retiring the NetBios protocols in favor of more modern local network technologies. One of these new alternatives is their network UPnP (universal plug-n-play) which relies on the new SSDP (simple service discovery protocol) to advertise or find network devices and services (over UDP port 1900). SSDP is similar in purpose to mDNS (used by Apple / Bonjour / Avahi).

In an enterprise / business network, SSDP can be dangerous if malicious or untrusted devices advertise their services and are discovered by your business user computers or servers. Because of this, many organizations are recommending that SSDP and UPnP be disabled in business networks.

If you’re interested in viewing SSDP traffic on your local network, the recommended Wireshark capture and display filters are listed at

If you suspect other low-level network foul play auto-configuring your client devices, take a look for rogue DHCP servers. Run wireshark with a filter to show DHCP offers, then release and renew your IP and see whether any offers come from unauthorized servers. More info including an example wireshark display filter at

Fancy switches may provide additional protection such as the dhcp-snooping or rogue dhcp prevention features in procurve, cisco, or other full-featured network equipment. More info on the procurve feature is available at

Other things to look into: LLTD (link layer topology discovery), LLMNR (link-local multicast name resolution), group policy setting to override some of this at “Computer Configuration | Policies | Administrative Templates | Network”, wireshark edit-“find packet” by “string” and “packet details”.


About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s