While reviewing firewall logs that were sent to me from a Windows 7 box (the box is not a server) on a tiny network, I saw thousands of incoming SSDP UDP entries. The SSDP entries were nearly constant, occurring every 3 seconds (approx 1200 log entries per hour). The last time I was asked to review the logs for that network, I don't recall seeing such traffic.
The firewall log shows the SSDP traffic as incoming. As expected, the protocol is UDP. It is almost all coming from ::1
(loopback) over a single dynamic port (49152 - 65535) with a destination address of ff02::c
(IPv6 link-local), port 1900. The SSDPSRV service of Windows is the Windows service handling the requests.
Is this type of traffic normal for networks containing a Win7 box?
If not, what should be attempted to fix the issue?
I'd expect to see it on any network that has Windows computers.
Disable and stop the SSDP Discovery service on your Windows computers.