Subsonic Forum

today got contacted by my hosting provider about an incoming DDOS:

"Dear Sir or Madam

Simple Service Discovery Protocol (SSDP) is a network protocol which
is used to search for UPnP applicances on the network. SSDP is generally
used over port 1900/udp.

During the past few months, systems which respond to SSDP requests
from the Internet have been increasingly misused for performing DDoS
reflection/amplification attacks.

In the course of the Shadowserver 'Open SSDP Scanning Project', systems
are identified which respond to SSDP requests from the Internet.
These systems may potentially be misused for carrying out DDoS attacks
if no other countermeasures have been implemented.

We are sending you the following list of affected systems in your net
area. The timestamp shows when the system was checked and when it
responded to an SSDP request from the Internet.

We kindly request that you examine the situation and take measures to
safeguard SSDP services on the systems concerned and inform your customers
accordingly.

My system was completely new ubuntu 14.04 with only subsonic running.
What i'm now missing is a setting / startup switch to disable SSDP requests or explanation that it is recommended to setup a firewall if connected directly to the internet

sounds like spam. Your ISP would generally address you by name, not "sir or madam".

100% no SPAM!

the message I posted above was the one my hoster "hetzner germany" received by an abuse board. The mail i got was personalized.

and as I also said above i can verify the open port 1900 by java. After stopping subsonic my network traffic dropped also significantly.

I'd get a firewall/router if your computer is currently connected directly to the internet.

Port 1900 is used by Windows machines, but if you have Linux on your computer, then something else may be responding to the requests, like an Xbox 360 or something. And since you can't set a firewall on an Xbox, you will need a firewall/router to do this for you.

Subsonic itself doesn't use port 1900 at all, although UPNP does (which Subsonic can use.) You could disable this feature, especially if you don't have a router, but I'd recommend against it, and just spend the money for a router/firewall.

I'm not using a home pc but an online accesible server, as mentioned above.
therefore i'd like to disable upnp but there's no setting i can find.
That was the reason for this thread

derEremit wrote:I'm not using a home pc but an online accesible server, as mentioned above.
therefore i'd like to disable upnp but there's no setting i can find.
That was the reason for this thread

Have you asked your host to disable UPnP service on your server?

Same here. Also hosting with Hetzner. I've installed CSF firewall http://configserver.com/cp/csf.html and closed all ports but the "importants" (ssh, http, https, etc).

But still looking forward to disable that "discovery" service from Subsonic.

That was why i opened this Thread
everyone who rents a server at hetzner and installs subsonic will get into this problem

This HAS TO at least be mentioned in the install docs.

I would like to contact sindre personally but the only contact even a paying subscriber gets is this forum, at least to my knowlege!

derEremit wrote:That was why i opened this Thread
everyone who rents a server at hetzner and installs subsonic will get into this problem

This HAS TO at least be mentioned in the install docs.

I would like to contact sindre personally but the only contact even a paying subscriber gets is this forum, at least to my knowlege!

Have you asked Hetzner to disable UPnP for you? If THEY have an issue with it, have them EARN their fee by providing you with a solution. Else MOVE your service to someone who doesn't nag you. If this truly was a real problem for them, THEY would rectify it themselves to protect their systems and clients, then notify you what and why they did it, or simply cancel you services. This has not been an issue for others doing what you are doing.

Did you read my first post?
The quote in my initial Post was by an Spam-Abuse-Detection Firm externally hired by Hetzner.

They were so kind to warn me that my server can be used to carry out spam attacks and asked me to investigate this.
Every hoster gets problems when their users' servers carry out ddos attacks.

I'm professional linux admin, and am used to setup services that are open to the world, aka the Internet.
But I have to know what ports a service opens or I get into exactly the problem I experienced.
From subsonic i'd expected exactly two open ports(http,https)

First Step.: Adaption of the installation docs.
Second Step: Option to disable this service discovery as it is not needed on a dedicated server in a datacenter

and if you follow this Thread, yes there has been at least one other person.

You can turn off DLNA/UPnP in Settings > DLNA.

Regards
Sindre

Hello ,

same problem here, daily abuse mails.

I did turned that off, restarted subsonic but same effect port1900 is still active.
netstat -tulpe showed me that it is subsonic who uses this port.

Please, is there a way to turn this upnp thing off ?

I must aggree to derEremit there must be a option to turn it off.

aki7773 wrote:
Please, is there a way to turn this upnp thing off ?

Not really a solution but this should help to avoid abuse messages:

Code: Select all

iptables -A INPUT -p udp --dport 1900 -j DROP