Port 1900: SSDP — The Protocol That Finds Your Devices (and Floods the Internet)

What Runs on Port 1900

Port 1900 carries SSDP — the Simple Service Discovery Protocol, the backbone of UPnP (Universal Plug and Play).

When you plug a Roku into your network and it magically finds your NAS without configuration, that's SSDP. When your printer announces itself without you touching a driver, that's SSDP. When your smart TV appears in your media center's device list within seconds, SSDP did that.

The protocol runs almost exclusively over UDP (not TCP). It uses a multicast address — 239.255.255.250 — to reach every listening device on the local subnet simultaneously. One shout, everyone hears it.¹

How SSDP Works

Discovery is a two-step conversation:

Device announces itself (NOTIFY): When a UPnP device joins the network, it multicasts a NOTIFY message to 239.255.255.250:1900 announcing what it is and what services it offers.

Client searches for devices (M-SEARCH): When an application wants to find devices, it sends an M-SEARCH multicast. Every compatible device on the subnet responds directly to the requester.

The responses include a URL where the device's full capabilities (an XML document called the "device description") can be fetched. This is how your computer learns that the thing at 192.168.1.45 is a media renderer that supports DLNA.

SSDP is text-based — readable, simple, and designed for networks where you trust everyone on them.²

The History

Microsoft and Hewlett-Packard drafted SSDP in 1999 as part of the UPnP initiative — an attempt to make home networking genuinely plug-and-play. The IETF Internet Draft expired in 2000 without becoming an RFC. It didn't matter. The UPnP Forum incorporated SSDP into its own standards, and manufacturers shipped billions of devices with it.³

IANA formally recognizes port 1900 UDP for SSDP. Whether it counts as "officially assigned" or "widely-used de facto standard" depends on who you ask — but every router, game console, smart speaker, and streaming device treats it as gospel.

The Security Problem

SSDP was designed for trusted local networks. The Internet is not a trusted local network.

In 2014, researchers discovered that millions of home routers were answering SSDP discovery requests from the public Internet — a configuration that was never intended but is extraordinarily common. Attackers exploit this to devastating effect:

1. Attacker spoofs their IP address as the victim's IP
2. Attacker sends M-SEARCH requests to thousands of exposed routers on port 1900
3. Each router responds to the victim's IP with a reply up to 30 times larger than the request
4. Victim receives a traffic flood they never asked for, from devices they've never touched

Cloudflare documented a 100 Gbps DDoS attack generated entirely through SSDP amplification in 2014. The protocol that makes your printer discoverable makes your router a weapon.⁴

If you run a public-facing network: Block inbound and outbound UDP traffic on port 1900 at your firewall. SSDP has no business crossing the Internet boundary.

What's Listening on Port 1900

On your local network, many things:

# Linux/macOS — see what's bound to port 1900
sudo lsof -i UDP:1900

# Or with ss (Linux)
ss -lupn sport = :1900

# Windows
netstat -ano | findstr :1900

On a typical home network you'll find your router, any smart TVs, streaming sticks, game consoles, smart speakers, and network-attached storage all listening here. On a corporate network you'll find... too many things to count, which is exactly the problem.