Your Router Is Announcing Itself
We pointed our packet-capture tool at a normal home network for nine seconds. Not a malicious one. Not a misconfigured one. Just a regular consumer Wi-Fi router sitting in a regular living room.
In those nine seconds, the router shouted its own make, model, and firmware version to every device on the LAN twenty times. In cleartext. To a multicast address designed to reach every machine on the network. Without anyone asking.
It's not a bug. It's a protocol called SSDP, it's enabled by default on most consumer routers, and most people have never heard of it. This article is about what it does, who can read it, and how to turn it off.
The Capture
Here's what we saw. Source identifiers and the specific router model are redacted — the point isn't to embarrass one vendor, it's that this is a default behavior across the consumer router market, not a one-off.
Source: [upstream router, RFC1918 LAN address]
Destination: 239.255.255.250 // SSDP multicast group — "every device"
Protocol: SSDP (UDP/1900)
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1
NTS: ssdp:alive
SERVER: [OS]/[version] UPnP/1.0 [vendor]/[model]/[firmware]
LOCATION: http://[router-ip]:5000/rootDesc.xml
USN: uuid:[device-uuid]::urn:schemas-upnp-org:device:InternetGatewayDevice:1
// 19 more NOTIFYs in the next 8.5 seconds, advertising other
// services on the same router (WANConnectionDevice, WFADevice,
// Layer3Forwarding, etc.)
Worth dwelling on that last number. Nobody asked the router for any of this. No device requested a service. The router was advertising on its own, on a schedule, to a destination address (239.255.255.250) that every device on the LAN listens to whether it cares or not.
What SSDP Actually Is
SSDP stands for Simple Service Discovery Protocol. It's the discovery half of UPnP (Universal Plug and Play), a 1999-era set of protocols that lets devices on a local network find each other without configuration. The idea was friendly: a printer announces itself so your laptop can find it, a smart TV announces itself so your phone can cast to it, your router announces itself so apps that need port forwarding can ask for it.
The mechanism is broadcast advertising. Every device that supports UPnP periodically sends a NOTIFY ssdp:alive packet to 239.255.255.250, a multicast address reserved for SSDP. Anything on the network that's listening receives every announcement automatically. There is no authentication, no encryption, and no way to ask "who's allowed to know I'm here." The protocol was designed for a world where the local network was assumed to be trusted.
That assumption hasn't aged well. A modern home network has, on average, more than a dozen connected devices, several of which are running someone else's code, and at least one of which is probably a guest's phone that has been on hundreds of other networks this year. The "trusted LAN" is a polite fiction.
What Each Broadcast Reveals
The sample NOTIFY above carries five pieces of information that an attacker would otherwise have to work for:
- SERVER header. Operating system, OS version, UPnP version, vendor name, model name, firmware version. This is the keys to the kingdom — everything a CVE database needs to tell you whether the device has a known unpatched vulnerability.
- LOCATION header. A URL on the router pointing to
rootDesc.xml, a descriptor file that enumerates every UPnP service the device exposes (port mapping, layer-3 forwarding, WAN configuration, etc.) along with their endpoints. - USN header. A unique device identifier (UUID). Stable across reboots. Useful for fingerprinting the same router across captures, time, or networks.
- NT/NTS headers. The device class and lifecycle state. Tells you it's an Internet Gateway Device (a router) and that it's currently online.
- The fact of the broadcast itself. A device on the LAN that is sending SSDP from a router-class address is, definitionally, the router. You can find it without a port scan.
The Threat Model
Three categories of attacker can read these broadcasts. None of them are exotic.
Anyone on the Wi-Fi. Your guests. The contractor working on your house. Your kid's friend whose phone has malware on it. The Airbnb guest who left two weeks ago whose laptop still remembers your password. SSDP is broadcast traffic; if you're on the network, you receive it.
A compromised IoT device. A smart bulb, a video doorbell, a thermostat — any of them, if compromised, sees every SSDP broadcast on the LAN. The attacker doesn't need to scan; the router introduces itself every two seconds.
Anyone who can run code in your browser. This is the one most people don't expect. A malicious advertisement on a webpage you visit can, in some configurations, reach UPnP services on your router from inside your browser. The advertised LOCATION URL gives the attacker a starting point.
What does any of these attackers do with the information? The boring, devastating thing:
Step 1. Read the SERVER and LOCATION headers. Now they know the exact router model and firmware version.
Step 2. Look up that model and firmware against a public CVE database (cve.mitre.org, nvd.nist.gov, or one of a dozen vendor trackers).
Step 3. If the firmware is more than a few months old — and most consumer-router firmware is — there is almost certainly an unpatched vulnerability. Now they have a roadmap into the network.
No exploit needed to get to step 3. Just listening to traffic the router is volunteering on its own.
None of this requires sophistication. The end-to-end recon, from "joined the Wi-Fi" to "I know how to compromise the router," can take under a minute.
How To Turn It Off
The good news: SSDP turns off with UPnP, and UPnP is a checkbox in the router's admin panel. The exact location varies by vendor, but the path is roughly the same on most modern routers:
10.0.0.1 → Advanced → UPnP → Disable. (On some xFi gateways the option is hidden; you may need to call support or use bridge mode with your own router.)192.168.0.1 or 192.168.1.1) under any of: Advanced, NAT, Firewall, WAN, Application Layer Gateway. Search the manual for "UPnP" if the menu structure is unfamiliar.What You Lose
Honesty matters here. Disabling UPnP is not free, and we're not going to pretend it is.
UPnP exists because a real category of software wants to ask the router for a port-forwarding rule without making the user open the admin panel. The most common cases:
- Game consoles. Xbox party chat, Nintendo Switch online play, and PlayStation matchmaking all benefit from UPnP. Without it you may see "strict NAT" warnings and degraded multiplayer connectivity. The fix is to manually configure port forwarding for the specific ports those services use, which is a one-time inconvenience but a real one.
- Some VoIP and video-call software. Older SIP phones and a few conferencing apps rely on UPnP for hole-punching. Most modern apps (Zoom, FaceTime, WebRTC-based services) do not.
- BitTorrent and self-hosted services. Anything that wants to accept inbound connections from the internet often uses UPnP to open the path. Without it, you configure the port forward by hand.
- IoT discovery on the LAN. Some smart-home apps use SSDP to find devices on the local network. If you turn off UPnP at the router, devices that broadcast their own SSDP (smart TVs, streaming devices) may still be discoverable, but the router itself stops advertising.
For most households, the answer is: turn it off, see if anything noticeable breaks, and add a manual port forward for the one or two things that actually needed it. The trade is a small amount of one-time configuration work in exchange for closing a permanent leak.
What You Don't Lose
A few things people sometimes worry about that you do not lose:
- Internet access. Outbound traffic is unaffected. Web browsing, streaming, social media, and almost all apps work identically.
- Wi-Fi for guest devices. SSDP and UPnP have nothing to do with whether a device can join the network or get an IP address.
- Casting and AirPlay. These primarily use mDNS (a different protocol on a different multicast address) and Bonjour, not SSDP. Disabling UPnP at the router doesn't affect them.
- Smart-home control. If your devices already work today, turning off UPnP at the router won't break the link between your phone app and the cloud service those devices report to.
The GhostPort Side Of This
One reason we ran the capture in the first place: we wanted to confirm what GhostPort itself emits on the LAN. The answer is nothing in this category. GhostPort Phantom OS doesn't run a UPnP service, doesn't broadcast SSDP, and operates the LAN in deliberate-mode — meaning anything talking on it is talking because someone specifically configured it to. Discovery is an explicit action, not an ambient broadcast.
That's a design choice with the same trade-off any user makes when they disable UPnP on their existing router: a one-time setup cost in exchange for a network that doesn't volunteer its inventory to anyone listening. We made the call that the trade is worth it. Your existing router probably gives you the same option in its admin panel; we'd encourage you to take it.
The Bigger Point
This isn't really an article about SSDP. It's an article about defaults.
Almost every weakness in a normal home network is a default that was set in the late 1990s, when the LAN was assumed to be trusted, and never reconsidered. UPnP is one. Open mDNS reflection is another. WPS being on by default is a third. Each one was a reasonable choice at the time, and each one quietly accumulated risk as the world around it changed.
You don't need a privacy router to fix any of this. You need fifteen minutes with your existing router's admin panel and a willingness to read what each setting actually does. We'll keep writing these as we find them in the wild.
Your network shouldn't introduce itself to strangers.
ghostporttechnologies.com