Saturday, October 16, 2021

Plex Media servers are being actively abused for DDoS attacks

Must Read

Sophos Informs customers of Information exposure after database misconfiguration

The company states that just a tiny subset of clients was affected.UK-based cyber-security seller Sophos is presently advising clients...

What is a Cyber Attack

A Cyberattack is an attack against a computer system, network infrastructure, and personal system using one or more computers...

Turkey launches a 3-year Cybersecurity Strategy and action plan

The Notice about the national cybersecurity plan and action plan was published on Tuesday together with the Signature of...

DDoS-for-hire services are actively abusing plex Media Server systems as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.

Cyber-security firm Netscout warns of new DDoS attack vectors.

The company’s alert comes to warn owners of devices that ship with Plex Media Server, a web application for Windows, Mac, and Linux that’s usually used for video or audio streaming and multimedia asset management.

Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms and network-attached storage (NAS) devices, Docker containers, and more.

The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices.

PLEX MEDIA SERVERS PUNCH A HOLE IN ROUTER NATS

Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers’ targets.

The problem comes when a Plex Media Server discovers a local router that has SSDP support enabled. When this happens, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.

“The total number of attacks from Jan 1, 2020, to present day, clocked in at approximately 5,700 (compared to the more than 11 million attacks in total we saw during the same time frame),”

According to Netscout, the amplification factor is around 4.68, with a Plex Media server amplifying incoming PMSSDP packets from 52 bytes to around 281 bytes before sending the packet to the victim.

PMSSDP DDoS mitigation

Broadband Internet access operators with PMSSDP reflectors/amplifiers exposed on their networks by customers can experience “partial or full interruption of end-customer broadband Internet access, as well as additional service disruption due to access, distribution, aggregation, core, peering, or transit link capacity consumption.”

While filtering all traffic on UDP/32414 can mitigate such attacks, this could also cause legitimate traffic and connections to get blocked.

To mitigate such attacks, organizations can quarantine end-customer nodes exposed to attacks and filter UDP/32414 traffic on abusable nodes.

“Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers,” Netscout added.

“It is strongly recommended that SSDP be disabled by default on operator-supplied broadband Internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers.”

DHS-CISA guides how to avoid becoming a DDoS victim, how to detect DDoS attacks, and what measures to take while being DDoSed.

Earlier this month, Netscout reported that Windows Remote Desktop Protocol (RDP) servers are now also being abused by DDoS-for-hire services as a reflection/amplification DDoS vector.

In 2019, Netscout also detected DDoS attacks abusing the macOS Apple Remote Management Service (ARMS) as an amplification vector.

ARMS-abusing DDoS attacks observed at the time peaked at 70 Gbps, with an amplification ratio of 35.5:1.

27K+ PLEX MEDIA SERVERS ARE EXPOSED ON THE INTERNET

The security firm said it scanned the internet and found 27,000 Plex Media servers left exposed online to be abused for DDoS attacks.

Furthermore, some servers have already been abused. Netscout said that not only did it saw DDoS attacks using Plex Media servers, but that this vector is now becoming common.

“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” the company said.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This