Cybercriminals Now Using Plex Media Servers to Amplify DDoS Attacks

A new distributed denial-of-service attack (DDoS) vector has ensnared Plex Media Server systems to amplify malicious traffic against targets to take them offline.

“Plex’s startup processes unintentionally expose a Plex UPnP-enabled service registration responder to the general Internet, where it can be abused to generate reflection/amplification DDoS attacks,” Netscout researchers said in a Thursday alert.

Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems, as well as variants customized for special-purpose platforms such as network-attached storage (NAS) devices and digital media players. The desktop application organizes video, audio, and photos from a user’s library and from online services, allowing access to and stream the contents to other compatible devices.

DDoS attacks typically involve flooding a legitimate target with junk network traffic that comes from a large number of devices that have been corralled into a botnet, effectively causing bandwidth exhaustion and leading to significant service disruptions.

A DDoS amplification attack occurs when an attacker sends a number of specially-crafted requests to a third-party server that causes the server to respond with large responses to a victim. This is done by spoofing the source IP address to appear as if they are the victim instead of the attacker, resulting in traffic that overwhelms victim resources.

Thus when the third parties respond to the attacker’s request, the replies are routed to the server being targeted rather than the attacker device that sent the request.

Now according to Netscout, DDoS-for-hire services are weaponizing Plex Media Servers to beef up their attack infrastructure, providing an average amplification factor of about 4.68.

Plex makes use of Simple Service Discovery Protocol (SSDP) to scan other media devices and streaming clients, but this gives way to a problem when the probe locates an SSDP-enabled broadband internet access router, and in the process, exposes the Plex service registration responder directly on the Internet on UDP port 32414.

Making matters worse, the cybersecurity firm said it identified about 27,000 abusable servers on the Internet to date.

“The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband Internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the Internet,” Netscout researchers Roland Dobbins and Steinthor Bjarnason said.

“This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption.”

Netscout recommends network operators to filter traffic directed towards UDP/32414 and disable SSDP on operator-supplied broadband internet access equipment to mitigate the attack.

The development comes after Netscout, earlier this month, reported that Windows Remote Desktop Protocol (RDP) servers are being abused by DDoS-for-hire services as a reflection/amplification DDoS vector.