Plex Media Server systems are actively being abused to amplify Distributed Denial-of-Service (DDoS) attacks as part of DDoS-for-hire services available to criminals. Plex Media Server is a streaming system compatible with Windows, macOS, Linux, and Free BSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more. In a report from Netscout, they stated that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers’ targets. This junk traffic reflected onto victims’ servers is sourced from SSDP (Simple Service Discovery Protocol) probes sent by Plex through the GDM (G’Day Mate) protocol for the local network service directory. “The total number of attacks from Jan 1, 2020, to present day, clocked in at approximately 5,700 (compared to the more than 11 million attacks in total we saw during the same time frame),” Richard Hummel, Manager of Threat Intelligence at Netscout stated in an interview. Attackers are capable of exploiting nearly 27,000 exposed devices running Plex to amplify and reflect DDoS traffic onto their target systems.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased