Plex Media Servers Being Used to Amplify DDoS Attacks
A new network security issue is causing headaches for the victims of DDoS attacks. According to security firm Netscout, several DDoS services have found a way to use Plex Media Servers to amplify the junk traffic they fire off toward targets during attacks. The researchers claim that a Plex server, properly utilized, can increase the size of DDoS packets by almost five times, making these attacks much more damaging. There’s not much Plex users can do about it right now, either.
Plex is a media management and streaming program you can install on a computer or NAS box. It catalogs, organizes, and streams your video and audio collection. It can even transcode files in real-time so you can watch them on almost any device via the Plex client. However, Plex is designed to stream media both inside and outside your local network. While you need an account to log in remotely, Plex is still visible on the public internet at port 32414, which it opens via the Simple Service Discovery Protocol (SSDP) on compatible routers.
The attack doesn’t require the attackers to log into your Plex server or install anything on your network. The DDoS simply tricks Plex into pinging the wrong IP address. The server gets packets through the open port that appear to have come from a certain IP address. However, that address is the attacker’s target and not the attacker themselves. Netscout says Plex’s response packets can be as much as 281 bytes in size, which is a 4.68x amplification of the original data.
The name of the game in DDoS attacks is bandwidth. Netscout says that Plex Media SSDP (PMSSDP) attacks can generate 2-3 Gbps of data, which is enough to crash smaller websites and services. It’s possible to reach hundreds of gigabits with multi-vector DDoS attacks and PMSSDP.
Plex says it was not alerted to the threat ahead of time, but Netscout says this attack is already in the wild and is even becoming “common.” However, it might have been nice if there was some communication with Plex in advance of publication. Netscout claims there are about 27,000 Plex servers online with PMSSDP.
In the Plex forums, developers say the company is looking into the reports. Some users have suggested manually changing the Plex Media Server remote access port, but that’s a “security through obscurity” play. The only foolproof way to keep your server from amplifying a DDoS right now is to disable remote access altogether or manually configure your router firewall to block all UDP traffic on your Plex port.