DDoS-for-hire services are exploiting Plex Media flaw to amplify their attacks

Cybercriminals who hire themselves out for DDoS (Distributed Denial of Service) campaigns are beefing up their attacks by abusing a popular media library tool.

In an alert published Wednesday, network monitoring firm Netscout warned of an exploit against Plex Media Server, a media library and streaming system that runs on a variety of platforms, including Windows, macOS, and Linux as well as on such hardware as NAS devices, RAID units, and digital media players.

As part of its normal operation, Plex scans a local network using a protocol known as G’Day Mate (GDM) in order to find other supported media devices and streaming clients. The system also uses Simple Service Discovery Protocol (SSDP) probes to track down Universal Plug and Play (UPnP) gateways on broadband internet routers that have SSDP enabled.

When Plex discovers a UPnP gateway, it attempts to use NAT Port Mapping Protocol to implement dynamic NAT forwarding rules on the router. Herein lies the problem.

This process exposes a Plex UPnP-enabled service registration responder to the general internet, according to Netscout. By doing so, Plex can then be exploited to reflect and amplify DDoS attacks. Netscout said that it found amplified Plex Media SSDP (PMSSDP) DDoS attack traffic on abused broadband internet access routers directed towards several targets.

SEE: Distributed denial of service (DDoS) attacks: A cheat sheet (Free PDF) (TechRepublic)  

Overall, around 27,000 abusable PMSSDP reflectors and amplifiers have been identified. As a result, PMSSDP has essentially been weaponized by DDoS-for-hire services.

“The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the internet,” Netscout said in its advisory. “This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption.”

Netscout is advising network operators to scan for abusable PMSSDP reflectors/amplifiers on their networks and the networks of their customers. From there, operators should disable SSDP by default on their broadband internet access equipment and provide customers with the steps for disabling it on their end as well.

As a matter of general advice, organizations should also ensure that their network and infrastructure are protected against DDoS attacks. This means all internet-facing systems. Netscout said that in some cases it has seen organizations that protected obvious systems this way but neglected to also protect DNS servers, application servers, and critical systems, still leaving them vulnerable to attack.

On a more permanent basis, Plex is working to patch the vulnerability itself.

“The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it,” said a Plex spokesperson.

“This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user’s device security or privacy,” the spokesperson explained. “Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see