Plex media servers actively scanned and used to amplify DDoS attacks
Media servers based on PLEX can be used for DDOS attacks. DDoS-for-hire services you can find on the web have now pointed their eyes on PLEX servers because they can abuse the SSDP (Simple Service Discovery) protocol.
Netscout reports that the Plex Media Server app creates a new 'network address translation' line at your local Internet router that allows the media server's SSDP protocol to directly access the Internet through udp port 32414. Attackers simply have to scan the internet for devices with this port enabled, and then abuse them to amplify web traffic they send to a DDoS attack victim.
"As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population," the company said.
Using the SSDP protocol over this UDP port of a router is an interesting road for cybercriminals to detect, access, and subsequently use the media servers that use the Plex Media Server app to combat DDoS attacks. feed. Hackers should only search the internet for devices that have the udp port 32414 open and can take over the device, as simple as that.
Netscout mentions 27,000 vulnerable Plex servers have already been detected and can be used to carry out a DDOS attack. In addition, Netscout is convinced that DDOS attacks via these servers will become increasingly common as they are already added in botnets.
Plex just posted the following statement:
The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it. This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user's device security or privacy. Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.
Meanwhile, if you have PLEX on a NAS autoconfigured, it would be wise to check your router and close UDP port 32414 (if open at all).
Junior Member
Posts: 19
Joined: 2014-03-27
LOL. Plex has release a new version to prevent DDOS attacks, what a joke. Check the release notes
StSimm1Plex Employee
3d
Plex Media Server 1.21.3.4015 is now available to Plex Pass users in the Beta update channel.
Plex Media Server 1.21.3.4014 is now available to everyone.
FIXES:
(Security) Mitigate against potential DDoS amplification by only responding to UDP requests from LAN
Senior Member
Posts: 570
Joined: 2020-04-28
Always use this site every few ~Days lots of folks claim he is a fraud but his tool is simple to use and works and he was alerting the public to the dangers off UPnP many many years ago
https://www.grc.com/x/ne.dll?rh1dkyd2
Senior Member
Posts: 2212
Joined: 2018-01-03
Always use this site every few ~Days lots of folks claim he is a fraud but his tool is simple to use and works and he was alerting the public to the dangers off UPnP many many years ago
https://www.grc.com/x/ne.dll?rh1dkyd2
Yeah I'd posted it two posts up.
Senior Member
Posts: 570
Joined: 2020-04-28
Doh!
Senior Member
Posts: 2212
Joined: 2018-01-03
Can also use the old GRC shields up
https://www.grc.com/default.htm