Port 1900 (UDP) – SSDP/UPnP

What runs on port 1900?

UDP 1900 carries SSDP (Simple Service Discovery Protocol), the discovery component of UPnP (Universal Plug and Play). Devices multicast M-SEARCH queries and NOTIFY announcements so that routers, smart TVs, printers, media servers, and IoT gadgets can find each other and auto-configure on a LAN. It is enabled by default on a huge range of consumer hardware.

Why it matters for security

SSDP is meant for the local network only, but countless routers and IoT devices leak it to the internet. Because a small query returns a much larger response, open SSDP responders are a prime reflection and amplification DDoS source and have fueled some of the largest recorded attacks. Where UPnP control endpoints are also exposed, attackers can manipulate port mappings and NAT rules to punch holes through the firewall, and the responses reveal device models and firmware for targeting.

How it's attacked

Attackers scan UDP 1900 for responsive devices, then send spoofed M-SEARCH queries to reflect amplified traffic at a victim for DDoS. Exposed UPnP control URLs are abused to add malicious port forwards, exposing internal services or routing attacker traffic. Discovery replies also feed reconnaissance of device types and versions.

Hardening checklist

Block inbound UDP 1900 at the perimeter and ensure routers do not run SSDP/UPnP on their WAN interface. Disable UPnP entirely where it isn't required, segment IoT devices onto their own network, and keep router and device firmware patched. Use the nmap snippet above to check for UPnP/SSDP exposure on devices you are authorized to test.