Hackers abuse Plex Media servers for DDoS amplification attacks

Netscout experts warn of DDoS-for-hire services abusing Plex Media servers to bounce junk traffic and amplify DDoS attacks.

Security researchers from Netscout discovered DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks.

Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems. Plex Media Server is also used in network-attached storage (NAS) devices, external RAID storage units, digital media players, and so on.

Upon startup, systems running the Plex Media Server app is will start scanning the local network for other UPnP gateways on broadband internet access routers via the Simple Service Discovery Protocol (SSDP).

Upon finding a local router with SSDP support enabled, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service online through the UDP port 32414.

The servers exposed online could be abused to reflect/amplify DDoS attacks each response packet ranges from 52 bytes – 281 bytes in size, allowing the attacker to obtain an average amplification factor of ~4.68:1.

“In order to differentiate this particular reflection/amplification DDoS attack vector from generic SSDP reflection/amplification, it has been designated as Plex Media SSDP (PMSSDP) reflection/amplification. Approximately 27,000 abusable PMSSDP reflectors/amplifiers have been identified, to date.” reads the advisory published by Netscout.

“Observed single-vector PMSSDP reflection/amplification DDoS attacks to date range in size from ~2 Gbps – ~3 Gbps; multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps.”

In a real attack scenario, hackers only have to scan the internet for devices with the UDP port 32414 enabled.

Netscout researchers found 27,000 Plex Media servers left exposed online that could be abused for DDoS attacks. Experts pointed out that some of these servers have already been abused in attacks in the wild, unfortunately, this attack technique is becoming common, especially for DDoS-for-hire services.

“The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the internet. This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption.” concludes the report.

“Wholesale filtering of all UDP/32414-sourced traffic by network operators may potentially overblock legitimate internet traffic.” 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Plex Media)

[adrotate banner=”5″]

[adrotate banner=”13″]