Detections
Analytics

3.3.2 SSDP

Information

The Simple Service Discovery Protocol (SSDP) is an application layer protocol and one of the keyprotocols that implement Universal Plug and Play (UPnP). SSDP enables network devices to discover andadvertise network services by sending multicast discovery and advertisement messages to multicastIPv4 group address 239.255.255.250:1900 or multicast IPv6 group address FF0x::C.

With UPnP, each device generates a unique multicast flow (Source IP, SSDP Group IP). In a multicast network with many end user devices, this can consume a large amount of multicast hardware and software resources aseach device creates a unique (S, G) flow and the resources are limited.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

The following example shows a typical static multicast route: [Incoming interface, Source, Group] > [Setof downstream interfaces] -

ip multicast-static-route <incoming-interface-name> {<source-address | any>} <group-address> [<outgoing-interface-name>] vrf <vrf-name>

If the SSDP service is not enabled in the network, best practices is to disable SSDP either through VLANACLs or through a policy, as shown in the following examples:

ACL -

switch(config)# access-list ip <drop_ssdp_acl>
switch(config-acl-ip)#10 deny udp any 239.255.255.250 eq 1900
switch(config)# vlan <id>
switch(config-vlan-id)# apply access-list ip <drop_ssdp_acl> in
switch(config)# interface <interface-id>
switch(config-if)# no shutdown
switch(config-if)# no routing
switch(config-if)# vlan access <id>
switch(config)# interface vlan <id>
switch(config-if-vlan)# ip address <ip-address>
switch(config-if-vlan)# ip igmp enable
switch(config-if-vlan)# ip pim-sparse enable
switch(config)# router pim
switch(config-pim)# enable

Policy -

switch(config)# class ip <drop_class>
switch(config-class-ip)# 10 match any any 239.255.255.250
switch(config)# policy <drop_ssdp_policy>
switch(config-policy)# 10 class ip <drop_class> action drop
switch(config)# vlan <id>
switch(config-vlan-id)# apply policy <drop_ssdp_policy> in
switch(config)# interface <interface-id>
switch(config-if)# no shutdown
switch(config-if)# no routing
switch(config-if)# vlan access <id>
switch(config)# interface vlan <id>
switch(config-if-vlan)# ip address <ip-address>
switch(config-if-vlan)# ip igmp enable
switch(config-if-vlan)# ip pim-sparse enable
switch(config)# router pim
switch(config-pim)# enable

Impact:

In networks where there is a need to control, drop, or minimize SSDP traffic, summarized static multicast routes can be configured to save network resources and to avoid denial of services.

See Also

https://workbench.cisecurity.org/benchmarks/24202

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|CA-9, 800-53|MP-2, 800-53|SC-7, CSCv7|14.2, CSCv7|14.6

Plugin: ArubaOS

Control ID: c87a239fb14b9c0a968a8d972ba2845bc7d652bf9b71ddced4759ee6c8a0c538