Hetzner Abuse Message

I got the following email from Hetzner:

Dear Sir or Madam,

the Simple Service Discovery Protocol (SSDP) is a network protocol
for advertisement and discovery of network services and presence
information. SSDP is the basis of the discovery protocol of
Universal Plug and Play (UPnP). SSDP uses port 1900/udp.

Over the past months, systems responding to SSDP requests from
anywhere on the Internet have been increasingly abused for DDoS
reflection attacks against third parties.

Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
SSDP server was identified.

We would like to ask you to check this issue and take appropriate
steps to secure the SSDP services on the affected systems or
notify your customers accordingly.

If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.

Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:

This message is digitally signed using PGP. Information on the
signature key is available at the aforementioned URL.

Please note:
This is an automatically generated message. Replies to the
sender address <[email protected] NOT be read
but silently be discarded. In case of questions, please contact
<[email protected] keep the ticket number [CB-Report#…]
of this message in the subject line.

!! Please make sure to consult our HOWTOs and FAQ available at
!! <https://reports.cert-bund.de/en/first.


Betroffene Systeme in Ihrem Netzbereich:
Affected systems on your network:

Format: ASN | IP address | Timestamp (UTC) | SSDP server
24940 | | 2017-03-10 11:21:07 | Unix/ UPnP/1.0 RSSDP/1.0

Mit freundlichen Gren / Kind regards
Team CERT-Bund

Bundesamt fr Sicherheit in der Informationstechnik (BSI)
Federal Office for Information Security
Referat CK22 - CERT-Bund
Godesberger Allee 185-189, D-53175 Bonn, Germany

I found this post and disabled DLNA and GDM in Plex. That didn’t work. I got the email again today.

Plex Preferences:
allowedNetworks="" GdmEnabled="0" DlnaEnabled="0"

List of services using UDP:

[kamos@Ubuntu-1604-xenial-64-minimal]:(340.2Mb)~$ sudo lsof -i -n -P | grep UDP | more
memcached 1149 memcache 27u IPv4 15934 0t0 UDP
memcached 1149 memcache 28u IPv4 15934 0t0 UDP
memcached 1149 memcache 29u IPv4 15934 0t0 UDP
memcached 1149 memcache 30u IPv4 15934 0t0 UDP
Main 1343 kamos 36u IPv4 31747 0t0 UDP *:1900
Main 1343 kamos 37u IPv4 31748 0t0 UDP *:40841
Main 1343 kamos 42u IPv4 19015 0t0 UDP *:7359
Main 1343 kamos 43u IPv4 23066 0t0 UDP
Main 1343 kamos 44u IPv4 23067 0t0 UDP
Plex\x20M 10981 plex 70u IPv4 11380526 0t0 UDP *:1901
Plex\x20M 10981 plex 71u IPv4 11380527 0t0 UDP

I can’t figure out what the culprit might be. If there’s someone else who has encountered this, I’d appreciate some help.

The problem is not UDP but DLNA.

ps -edf |grep DLNA |grep -v grep

Plex\x20M 10981 plex 70u IPv4 11380526 0t0 UDP *:1901

Block port 1900 & 1901 in your firewall

For refenrence:

i always turn off the DLNA and GDM discovery options in plex, in network and DLNA tabs. have been using hetzner for 1 year with no emails like this.

I disabled DLNA and GDM in Plex.

I did a little more digging and found that it was Emby. DLNA was enabled, just disabled it and resolved this one: Main 1343 kamos 36u IPv4 31747 0t0 UDP *:1900

can i fix this just to turn DLNA of in Plex webgui ?

yes, i also turn off GDM discovery in network options for good measure.

Do i just run this ?
allowedNetworks=“” GdmEnabled=“0” DlnaEnabled=“0”

i have no idea, i have only ever unchecked the boxes in the plex settings

where is the GDM discovery in plex i can’t it

its in the network options

Enable local network discovery (GDM)
This enables the media server to discover other servers and players on the local network.

found it, Thanks.