[BreachExchange] Plex Media Server Abused for DDoS Attacks

[Destry Winant]

https://www.securityweek.com/plex-media-server-abused-ddos-attacks

Malicious actors have been abusing Plex Media Server to amplify
distributed denial-of-service (DDoS) attacks, according to application
and network performance management company Netscout.

A popular personal media library and streaming solution, Plex Media
Server can be used on Windows, macOS, and Linux systems, to stream
content, including that from network-attached storage (NAS) devices,
RAID storage, and the like.

Plex typically searches the local network for compatible media devices
and streaming clients. The issue, NETSCOUT researchers explain,
appears when, at launch, the application locates UPnP gateways on
broadband Internet access routers with the Simple Service Discovery
Protocol (SSDP) enabled.

Once it has identified an UPnP gateway, Plex attempts to set dynamic
NAT forwarding rules on the router, which results in a Plex
UPnP-enabled service registration responder becoming exposed to the
Internet, thus enabling DDoS reflection and amplification.

To differentiate it from the typical SSDP reflection/amplification
method, the new abuse technique has been called Plex Media SSDP
(PMSSDP). More than 27,000 abusable PMSSDP reflectors/amplifiers were
identified.

The amplified PMSSDP DDoS attack traffic that has been observed so far
consists of SSDP HTTP/U responses on UDP port 32414. With the
amplified response packet in the 52–281 bytes range, the average
amplification factor is of approximately 4.68:1, the researchers
explain.

“Observed single-vector PMSSDP reflection/amplification DDoS attacks
to date range in size from ~2 Gbps – ~3 Gbps; multi-vector (2–10
vectors) and omni-vector (11 or more vectors) attacks incorporating
PMSSDP range from the low tens of Gbps up to 218 Gbps,” Netscout
notes.

The researchers also warn that DDoS-for-hire services have added
PMSSDP to their arsenal and say that both single- and multi-vector
reflection/amplification attacks that abuse PMSSDP have increased in
incidence since November of 2020.

The abuse of PMSSDP for DDoS reflection or amplification can also
impact broadband Internet providers and their customers. Disabling
SSDP on broadband Internet access routers should prevent abuse.

“Network operators should perform reconnaissance to identify abusable
PMSSDP reflectors/amplifiers on their networks and/or the networks of
their customers. It is strongly recommended that SSDP be disabled by
default on operator-supplied broadband internet access CPE, and that
guidance on disabling SSDP on common CPE makes/models be supplied to
end-customers,” NETSCOUT says.

NETSCOUT did not warn Plex of the issue prior to public disclosure,
but the company is now preparing a simple patch to increase the
protection of accidentally exposed servers, a Plex spokesperson told
SecurityWeek via email.

“This issue appears to be limited to a small number of media server
owners who have misconfigured their firewalls by allowing UDP traffic
on device-discovery ports from the public internet to reach their
servers, and our current understanding is that it does not allow an
attacker to compromise any Plex user's device security or privacy,”
the spokesperson added.