Systems with Plex Media Server are used to amplify DDoS attacks

NetScout analysts warned that hackers have found a way to use systems with Plex Media Server installed to amplify DDoS attacks.

The problem is that the application can be not only installed on a regular web server, but it often comes with NAS devices, media players, or other IoT devices.

According to experts, the point is that when a server or device running Plex Media Server boots up and connects to the network, a local scan is launched to find compatible devices and for this the SSDP protocol is used. And if Plex Media Server detects a local router with SSDP enabled, it adds a special NAT rule to make the Plex Media SSDP (PMSSDP) service available over the Internet (UDP port 32414).

“Unfortunately, SSDP has long been known as a vector of choice for attackers to amplify the power of DDoS attacks, which means that devices with installed Plex Media Server are an interesting target for attackers”, – remind NetScout researchers.

According to their information, the DDoS amplification factor in this case is about 4.68, that is, Plex Media Server amplifies incoming PMSSDP packets from 52 bytes to about 281 bytes.

As a reminder, in June last year AWS handled the most powerful DDoS attack in history, reaching 2.3 Tb/s.

Researchers warn that they have found more than 27,000 devices on the network with Plex Media Server that can be used for DDoS attacks. Worse, hackers already know about this amplification method, and Netscout experts write that they have not only observed such attacks, but they are already becoming commonplace. PMSSDP attacks usually reach a peak power of 2-3 Gbps, but according to experts, this is not the limit.

“The total number of attacks [using PMSSDP] from January 1, 2020 to date is approximately 5,700 (out of a total of 11,000,000 attacks that we saw during this period). We noticed the use of this method back in November 2020, when the activity increased sharply, but in most cases, we see that it is used in multi-vector attacks, and not as the main vector.”, — Netscout said in an interview with Bleeping Computer.

Also, interesting in this regard may be the information that CallStranger vulnerability allows arranging DDoS and scan local networks.