Plex Media Server Abused for DDoS Attacks
Malicious actors have been abusing Plex Media Server to amplify distributed denial-of-service (DDoS) attacks, according to application and network performance management company Netscout.
A popular personal media library and streaming solution, Plex Media Server can be used on Windows, macOS, and Linux systems, to stream content, including that from network-attached storage (NAS) devices, RAID storage, and the like.
Plex typically searches the local network for compatible media devices and streaming clients. The issue, Netscout researchers explain, appears when, at launch, the application locates UPnP gateways on broadband Internet access routers with the Simple Service Discovery Protocol (SSDP) enabled.
Once it has identified an UPnP gateway, Plex attempts to set dynamic NAT forwarding rules on the router, which results in a Plex UPnP-enabled service registration responder becoming exposed to the Internet, thus enabling DDoS reflection and amplification.
To differentiate it from the typical SSDP reflection/amplification method, the new abuse technique has been called Plex Media SSDP (PMSSDP). More than 27,000 abusable PMSSDP reflectors/amplifiers were identified.
The amplified PMSSDP DDoS attack traffic that has been observed so far consists of SSDP HTTP/U responses on UDP port 32414. With the amplified response packet in the 52–281 bytes range, the average amplification factor is of approximately 4.68:1, the researchers explain.
“Observed single-vector PMSSDP reflection/amplification DDoS attacks to date range in size from ~2 Gbps – ~3 Gbps; multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps,” Netscout notes.
The researchers also warn that DDoS-for-hire services have added PMSSDP to their arsenal and say that both single- and multi-vector reflection/amplification attacks that abuse PMSSDP have increased in incidence since November of 2020.
The abuse of PMSSDP for DDoS reflection or amplification can also impact broadband Internet providers and their customers. Disabling SSDP on broadband Internet access routers should prevent abuse.
“Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers. It is strongly recommended that SSDP be disabled by default on operator-supplied broadband internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers,” Netscout says.