Plex Media Server systems are actively being abused to amplify Distributed Denial-of-Service (DDoS) attacks as part of DDoS-for-hire services available to criminals. Plex Media Server is a streaming system compatible with Windows, macOS, Linux, and Free BSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more. In a report from Netscout, they stated that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers’ targets. This junk traffic reflected onto victims’ servers is sourced from SSDP (Simple Service Discovery Protocol) probes sent by Plex through the GDM (G’Day Mate) protocol for the local network service directory. “The total number of attacks from Jan 1, 2020, to present day, clocked in at approximately 5,700 (compared to the more than 11 million attacks in total we saw during the same time frame),” Richard Hummel, Manager of Threat Intelligence at Netscout stated in an interview. Attackers are capable of exploiting nearly 27,000 exposed devices running Plex to amplify and reflect DDoS traffic onto their target systems.
Analyst Notes
To mitigate the impact of these DDoS attacks, network administrators can quarantine end-customer nodes exposed to attacks and/or filter UDP/32414 traffic on abusable nodes and should perform reconnaissance to find abusable PMSSDP reflectors/amplifiers in their networks and/or their customers’ networks. Note that filtering UDP port 32414 could block legitimate services from communicating, so care must be taken before applying that mitigation strategy. Putting a DDoS mitigation service in place to protect critical corporate network services is a best practice preparation to prevent costly downtime or loss of employee remote access during an attack.
Source Article: https://www.bleepingcomputer.com/news/security/plex-media-servers-actively-abused-to-amplify-ddos-attacks/?&web_view=true
