"Plex Media Servers Are Being Abused For DDoS Attacks"
Researchers at security firm Netscout have found that DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks. The security researchers scanned the internet and found 27,000 Plex Media servers left exposed online that could be abused for DDoS attacks. Plex Media server is a web application for Windows, Mac, and Linux that's usually used for video or audio streaming and multimedia asset management. The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices. The researchers stated that when a server/device running a Plex Media server app is booted and connected to a network, it will start a local scan for other compatible devices via the Simple Service Discovery Protocol (SSDP). The problem comes when a Plex Media server discovers a local router that has SSDP support enabled. When this happens, the Plex Media server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414. The SSDP protocol has been known for years to be a perfect vector to amplify the size of a DDoS attack, making Plex Media servers a juicy and untapped source of DDoS bots for DDoS-for-hire operations. The researchers also stated that adversaries only have to scan the internet for devices with this port enabled and then abuse them to amplify web traffic they send to a DDoS attack victim. The amplification factor is around 4.68, with a Plex Media server amplifying incoming PMSSDP packets from 52 bytes to about 281 bytes before sending the packet to the victim.
ZDNet reports: "Plex Media Servers Are Being Abused For DDoS Attacks"