Plex Media Servers Used to Amplify DDoS ThreatsResearchers Warn of Yet Another Way to Boost Attacks
Researchers with NetScout's Atlas Security Engineering and Response Team are warning that attackers are abusing certain versions of the Plex media server app to strengthen and amplify various DDoS attacks.
The NetScout researchers believe that about 27,000 Plex media servers are vulnerable to the type of DDoS amplification attacks described in a new report. The Plex media server application works with Windows, Linux and macOS operating systems and normally lets users share video and other media with other devices.
The application can also connect with other devices. such as network-attached storage devices and external RAID storage units.
In the incidents that NetScout found, numerous DDoS-for-hire services were using the vulnerable Plex app to send junk traffic to targeted victims to overwhelm their networks and cause a crash.
In a typical case, an amplification attack happens when an attacker sends a small number of requests to a server and the server responds with more numerous responses to the victim. The attacker can also spoof the source IP address to appear as if they are the victim, resulting in traffic that overwhelms victim resources.
The FBI and others have been warning since mid-2020 that attackers are using more of these amplification techniques as an inexpensive but effective way to boost the power of their DDoS attacks (see: FBI Alert Warns of Increase in Disruptive DDoS Attacks).
Roland Dobbins, principal engineer at NetScout, notes that the type of amplification attacks abusing Plex media servers were first spotted in November 2020.
How the Amplification Attack Works
Within some instances of the Plex media server, the application will use the Simple Service Discovery Protocol - SSDP - to locate universal plug-and-play gateways on broadband internet access routers where this feature is available, according to the report. When this happens, the Plex service registration responder is exposed to the internet, and attackers can then take advantage of the app to help amplify DDoS attacks. Each amplified response packet can range from 52 bytes to 281 bytes in size, for an average amplification factor ratio of 5:1.
The NetScout researchers are referring to this technique as a Plex Media Simple Service Discovery Protocol attack or PMSSDP.
"As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called 'booter/stresser' DDoS-for-hire services, placing it within the reach of the general attacker population."
Dobbins notes that forums dedicated to Plex products have expressed concern about this scenario for some time.
"We have observed considerable discussion of the use of SSDP/UPnP in Plex media server in Plex's own user forums, with posts expressing user concern about their use in the product and requesting an option to disable their use," Dobbins says.
On its support page, Plex Media notes that it was not notified about this attack technique until after the report was published, but the company says the "vast majority of Plex media server setups are not exposed or affected by this."
Plex says that while it's investigating the report, users can block these attacks by adjusting the firewall settings to block traffic on certain ports and configure their routers to not forward user datagram protocol traffic.
DDoS in the Spotlight
While DDoS attacks have circulated for years, they have come back into fashion over the last year, especially in the wake of COVID-19 with more people working remotely. In 2020, the number of DDoS attacks surpassed 10 million, up from 8.5 million in 2019, according to a previous NetScout report (see: Netscout: 10 Million DDoS Attacks in 2020).
"DDoS attacks are a constant threat for organizations and security bugs and flaws within software can be exploited to amplify these attacks," Jack Mannino, CEO at security firm nVisium, says about the recent surge in DDoS attacks. "As these attacks are often highly effective and can frequently be launched at a relatively low cost, DDoS threats will continue to be a persistent real risk for modern digital organizations."
Other security experts say that DDoS attacks are also being used by organized cybercriminal gangs to extort ransom from victims who are threatened with increasingly larger attacks if they don't pay. In other cases, DDoS is used as a distraction method to divert security from the true purpose of the attack.
"Many of us have found that these attacks are meant as a distraction activity. In worst-case scenarios, we have seen DDoS attacks be used as the 'sleight of hand' to keep security folks busy while something like data exfiltration or malware loading takes place," says Brandon Hoffman, CISO at security firm Netenrich. "Certainly, the notion of DDoS attacks will not go away. It is a basic tool in the adversary kit and provides significant flexibility and ease of use, although limited in the direct outcome - meaning it can be used for a variety of purposes but no direct benefit, such as something like ransomware."
Managing Editor Scott Ferguson contributed to this report.