G.Skill TridentZ 5 RGB 6800 MHz CL34 DDR5 review
Be Quiet! Dark Power 13 - 1000W PSU Review
Palit GeForce RTX 4080 GamingPRO OC review
Core i9 13900K DDR5 7200 MHz (+memory scaling) review
Seasonic Prime Titanium TX-1300 (1300W PSU) review
F1 2022: PC graphics performance benchmark review
MSI Clutch GM31 Lightweight​ (+Wireless) mice review
AMD Ryzen 9 7900 processor review
AMD Ryzen 7 7700 processor review
AMD Ryzen 5 7600 processor review
Plex media servers actively scanned and used to amplify DDoS attacks
Media servers based on PLEX can be used for DDOS attacks. DDoS-for-hire services you can find on the web have now pointed their eyes on PLEX servers because they can abuse the SSDP (Simple Service Discovery) protocol.
Netscout reports that the Plex Media Server app creates a new 'network address translation' line at your local Internet router that allows the media server's SSDP protocol to directly access the Internet through udp port 32414. Attackers simply have to scan the internet for devices with this port enabled, and then abuse them to amplify web traffic they send to a DDoS attack victim.
"As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population," the company said.
Using the SSDP protocol over this UDP port of a router is an interesting road for cybercriminals to detect, access, and subsequently use the media servers that use the Plex Media Server app to combat DDoS attacks. feed. Hackers should only search the internet for devices that have the udp port 32414 open and can take over the device, as simple as that.
Netscout mentions 27,000 vulnerable Plex servers have already been detected and can be used to carry out a DDOS attack. In addition, Netscout is convinced that DDOS attacks via these servers will become increasingly common as they are already added in botnets.
Plex just posted the following statement:
The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it. This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user's device security or privacy. Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.
Meanwhile, if you have PLEX on a NAS autoconfigured, it would be wise to check your router and close UDP port 32414 (if open at all).
Reddoguk
Senior Member
Posts: 2476
Joined: 2010-05-26
Senior Member
Posts: 2476
Joined: 2010-05-26
#5885496 Posted on: 02/08/2021 10:51 PM
Well it seems i'm not listening on UPnP WAN.
Well it seems i'm not listening on UPnP WAN.
386SX
Senior Member
Posts: 1730
Joined: 2017-06-26
Senior Member
Posts: 1730
Joined: 2017-06-26
#5885507 Posted on: 02/08/2021 11:50 PM
Couldnt agree more. I would like to add "disable answering ICMP messages on WAN".
No router should be exposing UPnP to the WAN side.
Couldnt agree more. I would like to add "disable answering ICMP messages on WAN".
0blivious
Senior Member
Posts: 3268
Joined: 2006-04-25
Senior Member
Posts: 3268
Joined: 2006-04-25
#5885535 Posted on: 02/09/2021 06:02 AM
Thanks for the verification link!
""All good! It looks like you are not listening on UPnP on WAN""
I was expecting it to tell me that it could fly a 747 through all the security holes. Apparently not, which is nice as I'm fairly clueless in this regard. (*back to watching PLEX...)
Thanks for the verification link!
""All good! It looks like you are not listening on UPnP on WAN""
I was expecting it to tell me that it could fly a 747 through all the security holes. Apparently not, which is nice as I'm fairly clueless in this regard. (*back to watching PLEX...)
386SX
Senior Member
Posts: 1730
Joined: 2017-06-26
Senior Member
Posts: 1730
Joined: 2017-06-26
#5885571 Posted on: 02/09/2021 10:14 AM
@0blivious for your 747 feeling there is this test:
https://www.heise.de/security/dienste/portscan/test/go.shtml?scanart=1
Page is in German.
Komplettcheck option tests all.
The checkmark has to be set so you are allowed to scan your WAN IP.
After selecting your desired options click on TEST STARTEN button.
Then fly ...
Edit: TR-69 is for cable modems or routers.
@0blivious for your 747 feeling there is this test:
https://www.heise.de/security/dienste/portscan/test/go.shtml?scanart=1
Page is in German.
Komplettcheck option tests all.
The checkmark has to be set so you are allowed to scan your WAN IP.
After selecting your desired options click on TEST STARTEN button.
Then fly ...
Edit: TR-69 is for cable modems or routers.
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 321
Joined: 2017-02-16
To be clear, this isn't a Plex problem, it's a router problem. No router should be exposing UPnP to the WAN side, which is what is being exploited here.
You can detect whether it is or not on your system by visiting Bad UPnP/SSDP - Check for WAN UPnP listening (benjojo.co.uk)
You should do so even if you aren't running Plex, since you can be exploited by many services outside it. If it shows you are vulnerable, your best option is to turn off UPnP in your router.