Plex media servers actively scanned and used to amplify DDoS attacks

Media servers based on PLEX can be used for DDOS attacks. DDoS-for-hire services you can find on the web have now pointed their eyes on PLEX servers because they can abuse the SSDP (Simple Service Discovery) protocol.

Netscout reports that the Plex Media Server app creates a new 'network address translation' line at your local Internet router that allows the media server's SSDP protocol to directly access the Internet through udp port 32414. Attackers simply have to scan the internet for devices with this port enabled, and then abuse them to amplify web traffic they send to a DDoS attack victim.

"As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population," the company said.

Using the SSDP protocol over this UDP port of a router is an interesting road for cybercriminals to detect, access, and subsequently use the media servers that use the Plex Media Server app to combat DDoS attacks. feed. Hackers should only search the internet for devices that have the udp port 32414 open and can take over the device, as simple as that.

Netscout mentions 27,000 vulnerable Plex servers have already been detected and can be used to carry out a DDOS attack. In addition, Netscout is convinced that DDOS attacks via these servers will become increasingly common as they are already added in botnets. 

Plex just posted the following statement:

The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it. This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user's device security or privacy. Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.

Meanwhile, if you have PLEX on a NAS autoconfigured, it would be wise to check your router and close UDP port 32414 (if open at all).