ProLiant Servers - Netservers

How do I disable SSDP ( UPnP - UDP port 1900 ) on my HPE iLo5 card - it is being abused in DDoS

 
Chris_Drake
Advisor

How do I disable SSDP ( UPnP - UDP port 1900 ) on my HPE iLo5 card - it is being abused in DDoS

SSDP DDoS reflection attackers are abusing my iLo5 open port 1900 - but I cannot find anyplace in the settings (fw2.33) to turn that off (which makes me very angry, because that is advertising my PRIVATE services and ports to the whole world too!).

I do NOT want or use UPnP or SSDP at all.

How do we disable this?

4 REPLIES 4
ksram
HPE Pro

Re: How do I disable SSDP ( UPnP - UDP port 1900 ) on my HPE iLo5 card - it is being abused in DDoS

Hi Chris,

 

Good day!

 

We understand your concern, and upon checking the iLO User Gudie we see that you can disable multicast options to get this sorted.

 

Page : https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us (Page 125)

 

"Configure the network to allow multicast traffic (UDP port 1900) and direct HTTP (TCP default port 80)communication between iLO systems"

 

We would request you to go through the document, esp the pointers with Multicast to get more information and also to make the desired settings.

 

Thank you

RamKS


I work for HPE

Accept or Kudo

Chris_Drake
Advisor

Re: How do I disable SSDP ( UPnP - UDP port 1900 ) on my HPE iLo5 card - it is being abused in DDoS

That quote refers to the NETWORK (switches and routers attache to the iLo) - it does not refer to the iLo itself.

It DOES confirm however, that there appear to be NO settings at all to allow this to be turned off.  See table on page 319: "port 1900" has "N/A" in the column for where in the web interface this would be controlled or disabled.

How do we escale this issue to your security team so that a patch enabling this unwanted feature to be disabled can be issued?

KevinSpringPM
HPE Pro

Re: How do I disable SSDP ( UPnP - UDP port 1900 ) on my HPE iLo5 card - it is being abused in DDoS

Have you tried disabling iLO federation and multicast discovery? Also as a best practice, iLO ports should never be internet facing.

I'm an HPE Product Manager

Accept or Kudo

Chris_Drake
Advisor

Re: How do I disable SSDP ( UPnP - UDP port 1900 ) on my HPE iLo5 card - it is being abused in DDoS

Awesome - that seems to have closed the port.

You need to fix your manual ( https://support.hpe.com/hpesc/public/docDisplay?docId=a00105236en_us )- page 319 search for port "1900" and the table which says there is no web menu option available "Location in iLo web interface" to turn off that port, and change the "N/A" entry to "iLo Federation -> Setup".

You probably also need to send out an advistory to all customers - This was reported to me by a government authority who are working to remove the DDoS threat that this open port poses.

It's probably also worth considering the "best practice" for all unused/unwanted services - do not enable them by default.