The Universal Plug N' Play (UPnP) system operates over two ports: UDP/1900 and TCP/5000.
UDP protocol is used over Port 1900 because the UDP protocol supports a "broadcast semantics" which allows a single UPnP announcement message to be received and heard by all devices listening on the same sub-network. TCP, being inherently a point-to-point connection-oriented protocol, does not support message broadcasts.
When UPnP devices wish to announce themselves, or "shout out" to find out what other UPnP devices are hanging around on the network, they issue a UDP message aimed at port 1900 of the special IP address [18.104.22.168]. This special "multicast" broadcast address has been set aside for UPnP devices and will be received by all of them listening on UDP port 1900.
After such an announcement broadcast is made, any devices wishing to reply or respond to the broadcaster initiate a TCP connection to the broadcaster's TCP port 5000. The devices then engage in a dialog to meet their needs.
As you can see, UPnP enabled devices will be opening and listening on UDP port 1900 and TCP port 5000.
It is probably worth mentioning that, here again, Microsoft's exposed UPnP Internet servers were found to have remotely exploitable unchecked buffers that would allow, in principle, remote malicious hackers to commandeer Windows ME or XP computers. Microsoft quickly issued a patch to fix this known vulnerability, but since there might well be others, and since unused Internet servers and services should not be left running of they are not actively needed, I wrote a quick, simple, and small 22 kbyte utility which allows the Universal Plug N' Play servers in Windows ME and XP to be easily started, stoped, and semi-permanently deactivated (until they are possibly needed at some future time.)