DDoS-for-hire services are actively abusing plex Media Server systems as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.
Cyber-security firm Netscout warns of new DDoS attack vectors.
The company’s alert comes to warn owners of devices that ship with Plex Media Server, a web application for Windows, Mac, and Linux that’s usually used for video or audio streaming and multimedia asset management.
Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms and network-attached storage (NAS) devices, Docker containers, and more.
The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices.
PLEX MEDIA SERVERS PUNCH A HOLE IN ROUTER NATS
Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers’ targets.
The problem comes when a Plex Media Server discovers a local router that has SSDP support enabled. When this happens, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.
“The total number of attacks from Jan 1, 2020, to present day, clocked in at approximately 5,700 (compared to the more than 11 million attacks in total we saw during the same time frame),”
According to Netscout, the amplification factor is around 4.68, with a Plex Media server amplifying incoming PMSSDP packets from 52 bytes to around 281 bytes before sending the packet to the victim.
PMSSDP DDoS mitigation
Broadband Internet access operators with PMSSDP reflectors/amplifiers exposed on their networks by customers can experience “partial or full interruption of end-customer broadband Internet access, as well as additional service disruption due to access, distribution, aggregation, core, peering, or transit link capacity consumption.”
While filtering all traffic on UDP/32414 can mitigate such attacks, this could also cause legitimate traffic and connections to get blocked.
To mitigate such attacks, organizations can quarantine end-customer nodes exposed to attacks and filter UDP/32414 traffic on abusable nodes.
“Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers,” Netscout added.
“It is strongly recommended that SSDP be disabled by default on operator-supplied broadband Internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers.”
DHS-CISA guides how to avoid becoming a DDoS victim, how to detect DDoS attacks, and what measures to take while being DDoSed.
Earlier this month, Netscout reported that Windows Remote Desktop Protocol (RDP) servers are now also being abused by DDoS-for-hire services as a reflection/amplification DDoS vector.
In 2019, Netscout also detected DDoS attacks abusing the macOS Apple Remote Management Service (ARMS) as an amplification vector.
ARMS-abusing DDoS attacks observed at the time peaked at 70 Gbps, with an amplification ratio of 35.5:1.
27K+ PLEX MEDIA SERVERS ARE EXPOSED ON THE INTERNET
The security firm said it scanned the internet and found 27,000 Plex Media servers left exposed online to be abused for DDoS attacks.
Furthermore, some servers have already been abused. Netscout said that not only did it saw DDoS attacks using Plex Media servers, but that this vector is now becoming common.
“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” the company said.