I got the following email from Hetzner:
Dear Sir or Madam,
the Simple Service Discovery Protocol (SSDP) is a network protocol
for advertisement and discovery of network services and presence
information. SSDP is the basis of the discovery protocol of
Universal Plug and Play (UPnP). SSDP uses port 1900/udp.
Over the past months, systems responding to SSDP requests from
anywhere on the Internet have been increasingly abused for DDoS
reflection attacks against third parties.
Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
SSDP server was identified.
We would like to ask you to check this issue and take appropriate
steps to secure the SSDP services on the affected systems or
notify your customers accordingly.
If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.
Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
This message is digitally signed using PGP. Information on the
signature key is available at the aforementioned URL.
This is an automatically generated message. Replies to the
sender address <firstname.lastname@example.org NOT be read
but silently be discarded. In case of questions, please contact
<email@example.com keep the ticket number [CB-Report#...]
of this message in the subject line.
!! Please make sure to consult our HOWTOs and FAQ available at
Betroffene Systeme in Ihrem Netzbereich:
Affected systems on your network:
Format: ASN | IP address | Timestamp (UTC) | SSDP server
24940 | 18.104.22.168 | 2017-03-10 11:21:07 | Unix/22.214.171.124 UPnP/1.0 RSSDP/1.0
Mit freundlichen Gren / Kind regards
Bundesamt fr Sicherheit in der Informationstechnik (BSI)
Federal Office for Information Security
Referat CK22 - CERT-Bund
Godesberger Allee 185-189, D-53175 Bonn, Germany
I found this post and disabled DLNA and GDM in Plex. That didn't work. I got the email again today.
allowedNetworks="127.0.0.1/255.255.255.255" GdmEnabled="0" DlnaEnabled="0"
List of services using UDP:
sudo lsof -i -n -P | grep UDP | more
memcached 1149 memcache 27u IPv4 15934 0t0 UDP 127.0.0.1:11211
memcached 1149 memcache 28u IPv4 15934 0t0 UDP 127.0.0.1:11211
memcached 1149 memcache 29u IPv4 15934 0t0 UDP 127.0.0.1:11211
memcached 1149 memcache 30u IPv4 15934 0t0 UDP 127.0.0.1:11211
Main 1343 kamos 36u IPv4 31747 0t0 UDP *:1900
Main 1343 kamos 37u IPv4 31748 0t0 UDP *:40841
Main 1343 kamos 42u IPv4 19015 0t0 UDP *:7359
Main 1343 kamos 43u IPv4 23066 0t0 UDP 127.0.0.1:40985
Main 1343 kamos 44u IPv4 23067 0t0 UDP 126.96.36.199:34907
Plex\x20M 10981 plex 70u IPv4 11380526 0t0 UDP *:1901
Plex\x20M 10981 plex 71u IPv4 11380527 0t0 UDP 188.8.131.52:33221
I can't figure out what the culprit might be. If there's someone else who has encountered this, I'd appreciate some help.