DDoS Services Use Plex Media Servers to Amplify Attacks

Unknown third parties now use Plex Media servers to launch reflection/amplification DDoS attacks, likely making regular users unwitting accomplices, according to new research. Until the Plex developers make the proper changes, only mitigation is possible.

DDoS attacks have long stopped being the sole purview of hackers with grudges. DDoS-as-a-service is now a booming illegal business that takes advantage of unsecured IoT devices and other hardware types to strike targets for money. It’s gotten so bad that it’s now possible to rent this service with just a few clicks.

Attackers figured out that the way Plex Media Server makes its presence known in a network infrastructure includes an exploitable situation. Plex Media Server is an application that lets users set up their own streaming service, with support for all major platforms, including Windows, Linux, macOS, NAS devices, digital media players and much more.

After a user installs a Plex Media Server, the application starts to interrogate the local network to find compatible devices and other streaming clients. It also uses Simple Service Discovery Protocol (SSDP) probes to find routers with SSDP enabled. If the server is successful, Plex will use dynamic NAT forwarding and exposes the server to the Internet via the UDP 32414 port. And this is where criminals can initiate reflection/amplification DDoS.

“To date, observed amplified PMSSDP DDoS attack traffic consists of SSDP HTTP/U responses sourced from UDP/32414 on abusable broadband internet access routers directed towards the attack target(s),” said Netscout. “Each amplified response packet ranges from 52 bytes – 281 bytes in size, for an average amplification factor of ~4.68:1.”

“In order to differentiate this particular reflection/amplification DDoS attack vector from generic SSDP reflection/amplification, it has been designated as Plex Media SSDP (PMSSDP) reflection/amplification,” the company added.

Around 27,000 usable PMSSDP reflectors/amplifiers are active. Attackers only have to scan for opened 32414 ports to find them.

The company says a likely scenario involves ISPs cutting or limiting Internet access of regular users who don’t know they contribute to a DDoS attack. The first measure would be require network operators to disable SSDP by default on the devices offered to customers.

Plex Inc., which makes the Plex Media Server, has yet to issue any statement on this matter. Technically, Plex is not doing something wrong, so the solution to this issue will likely have to come from another direction.

Add Comment

Your email address will not be published. Required fields are marked *