SSDP Amplification

What is a SSDP Amplification Attack?

Attack Description:

SSDP otherwise known as the Simple Service Discovery Protocol is a network based protocol used for the advertisement and discovery of network services. SSDP allows universal plug and play devices to send and receive information using UDP on port 1900.  SSDP is attractive to DDoS attackers because of its open state that allows spoofing and amplification.

The SSDP DDoS attack falls into the same category as the DNS and NTP amplified DDoS attacks where attackers use a smaller botnet that spoofs their victim’s IP addresses.  Attackers next use that botnet to then query home routers, firewalls, printers, access points and the like, that have the uPnP service open to the internet.

DDoS DNS amplification attacks are now more likely to use SSDP than NTP.


Corero’s SmartWall allows you to mitigate SSDP DDoS Attacks in real-time and stops SSDP DDoS Attacks instantaneously without incurring false positives or downtime for scrubbing.

Additional & Related Information: