News

Systems with Plex Media Server are used to amplify DDoS attacks

NetScout analysts warned that hackers have found a way to use systems with Plex Media Server installed to amplify DDoS attacks.

The problem is that the application can be not only installed on a regular web server, but it often comes with NAS devices, media players, or other IoT devices.

According to experts, the point is that when a server or device running Plex Media Server boots up and connects to the network, a local scan is launched to find compatible devices and for this the SSDP protocol is used. And if Plex Media Server detects a local router with SSDP enabled, it adds a special NAT rule to make the Plex Media SSDP (PMSSDP) service available over the Internet (UDP port 32414).

“Unfortunately, SSDP has long been known as a vector of choice for attackers to amplify the power of DDoS attacks, which means that devices with installed Plex Media Server are an interesting target for attackers”, – remind NetScout researchers.

According to their information, the DDoS amplification factor in this case is about 4.68, that is, Plex Media Server amplifies incoming PMSSDP packets from 52 bytes to about 281 bytes.

As a reminder, in June last year AWS handled the most powerful DDoS attack in history, reaching 2.3 Tb/s.

Researchers warn that they have found more than 27,000 devices on the network with Plex Media Server that can be used for DDoS attacks. Worse, hackers already know about this amplification method, and Netscout experts write that they have not only observed such attacks, but they are already becoming commonplace. PMSSDP attacks usually reach a peak power of 2-3 Gbps, but according to experts, this is not the limit.

“The total number of attacks [using PMSSDP] from January 1, 2020 to date is approximately 5,700 (out of a total of 11,000,000 attacks that we saw during this period). We noticed the use of this method back in November 2020, when the activity increased sharply, but in most cases, we see that it is used in multi-vector attacks, and not as the main vector.”, — Netscout said in an interview with Bleeping Computer.

Also, interesting in this regard may be the information that CallStranger vulnerability allows arranging DDoS and scan local networks.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Held Virus Removal Guide (+Decrypt .held files)

Held Virus Ransomware Held is a harmful software application working as common ransomware. Michael Gillespie,…

20 hours ago

Remove Netsmediashub pop-up ads (Virus Removal Guide)

Netsmediashub.com is a domain that tries to force you into clik to its browser notifications…

2 days ago

Remove News-bhexusa.xyz pop-up ads (Virus Removal Guide)

News-bhexusa.xyz is a domain that tries to trick you into clik to its browser notifications…

3 days ago

Remove News-bhupotu.xyz pop-up ads (Virus Removal Guide)

News-bhupotu.xyz is a domain that tries to trick you into subscribing to its browser notifications…

3 days ago

Remove News-bhocime.info pop-up ads (Virus Removal Guide)

News-bhocime.info is a site that tries to trick you into subscribing to its browser notifications…

3 days ago

Remove You-hub.online pop-up ads (Virus Removal Guide)

You-hub.online is a site that tries to force you into clik to its browser notifications…

3 days ago