Plex Media servers actively abused to amplify DDoS attacks

[mood]

Plex Media servers actively abused to amplify DDoS attacks

 

 

Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.

 

Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more.

 

Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers' targets.

 

This junk traffic reflected onto victims' servers is sourced from Simple Service Discovery Protocol (SSDP) probes sent by Plex through the G’Day Mate (GDM) protocol for local network service discovery.

 

In January, Baidu Security Lab also reported observing DDoS attacks using Plex as an amplification vector.

 

According to a subsequent report from ZoomEye, not all Plex Media Server versions can be abused by attackers.

"After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21, so it can be inferred that version 1.21 of Plex released in late January this year has fixed this problem (although no relevant information has been seen in the plex official Security bulletin)," ZoomEye said.

Abused in single and multi-vector DDoS attacks

Attacks abusing this UDP reflection/amplification attack vector by targeting PMSSDP reflectors/amplifiers on the UDP/32414 port have an amplification ratio of ~4.68:1 and peak at ~3 Gbps.

 

However, as Netscout said, "multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps."

 

Attackers can exploit roughly 27,000 exposed devices running Plex Media Server to amplify and reflect DDoS traffic onto their targets systems.

"It should be noted that a single-vector PMSSDP reflection/amplification attack of ~2 Gbps – ~3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services," Netscout added.

"The incidence of both single-vector and multi-/omni-vector reflection/amplification attacks leveraging PMSSDP has increased significantly since November of 2020, indicating its perceived utility to attackers."

 

As it regularly happens with newer DDoS attack vectors, PMSSDP has also been weaponized and is now actively used by booter/stresser DDoS-for-hire services.

 

These platforms are regularly used by pranksters or threat actors without the skills or time to invest in establishing their own DDoS attack infrastructure.

 

Booters' services are rented to launch large-scale DDoS attacks targeting servers or sites to trigger a denial of service that usually brings them down or disrupts online services.

PMSSDP DDoS mitigation

Broadband Internet access operators with PMSSDP reflectors/amplifiers exposed on their networks by customers can experience "partial or full interruption of end-customer broadband Internet access, as well as additional service disruption due to access, distribution, aggregation, core, peering, or transit link capacity consumption."

 

While filtering all traffic on UDP/32414 can mitigate such attacks, this could also cause legitimate traffic and connections to get blocked.

 

To mitigate the impact of such attacks, organizations can quarantine end-customer nodes exposed to attacks and/or filter UDP/32414 traffic on abusable nodes.

"Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers," Netscout added.

"It is strongly recommended that SSDP be disabled by default on operator-supplied broadband Internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers."

 

DHS-CISA provides guidance on how to avoid becoming a DDoS victim, how to detect DDoS attacks, as well as on what measures to take while being DDoSed.

 

Earlier this month, Netscout reported that Windows Remote Desktop Protocol (RDP) servers are now also being abused by DDoS-for-hire services as a reflection/amplification DDoS vector.

 

In 2019, Netscout also detected DDoS attacks abusing the macOS Apple Remote Management Service (ARMS) as an amplification vector.

ARMS-abusing DDoS attacks observed at the time peaked at 70 Gbps, with an amplification ratio of 35.5:1.

 

 

Source: Plex Media servers actively abused to amplify DDoS attacks

[mgforce]

This is scary... I am immediately going to check settings for my Plex Server.

 

I expected article to also share some tips/solution on how to avoid usage of your device for these DDoS attacks.. not there though!

 

 

[aum]

Cybercriminals Now Using Plex Media Servers to Amplify DDoS Attacks

 

 

A new distributed denial-of-service attack (DDoS) vector has ensnared Plex Media Server systems to amplify malicious traffic against targets to take them offline.

 

"Plex's startup processes unintentionally expose a Plex UPnP-enabled service registration responder to the general Internet, where it can be abused to generate reflection/amplification DDoS attacks," Netscout researchers said in a Thursday alert.

 

Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems, as well as variants customized for special-purpose platforms such as network-attached storage (NAS) devices and digital media players. The desktop application organizes video, audio, and photos from a user's library and from online services, allowing access to and stream the contents to other compatible devices.

 

DDoS attacks typically involve flooding a legitimate target with junk network traffic that comes from a large number of devices that have been corralled into a botnet, effectively causing bandwidth exhaustion and leading to significant service disruptions.

 

A DDoS amplification attack occurs when an attacker sends a number of specially-crafted requests to a third-party server that causes the server to respond with large responses to a victim. This is done by spoofing the source IP address to appear as if they are the victim instead of the attacker, resulting in traffic that overwhelms victim resources.

 

Thus when the third parties respond to the attacker's request, the replies are routed to the server being targeted rather than the attacker device that sent the request.

 

Now according to Netscout, DDoS-for-hire services are weaponizing Plex Media Servers to beef up their attack infrastructure, providing an average amplification factor of about 4.68.

 

Plex makes use of Simple Service Discovery Protocol (SSDP) to scan other media devices and streaming clients, but this gives way to a problem when the probe locates an SSDP-enabled broadband internet access router, and in the process, exposes the Plex service registration responder directly on the Internet on UDP port 32414.

 

Making matters worse, the cybersecurity firm said it identified about 27,000 abusable servers on the Internet to date.

 

"The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband Internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the Internet," Netscout researchers Roland Dobbins and Steinthor Bjarnason said.

 

"This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption."

 

Netscout recommends network operators to filter traffic directed towards UDP/32414 and disable SSDP on operator-supplied broadband internet access equipment to mitigate the attack.

 

The development comes after Netscout, earlier this month, reported that Windows Remote Desktop Protocol (RDP) servers are being abused by DDoS-for-hire services as a reflection/amplification DDoS vector.

 

Source