Plex Media server systems are being compromised to boost malicious traffic over the targeted users to take them offline by utilizing a new method/technique of DDoS (Distributed Denial of Service) attack.
The ongoing attack was found by researchers of Netscout, who explained that “Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems, as well as variants customized for special-purpose platforms such as network-attached storage (NAS) devices, external RAID storage units, digital media players, and so on.”
This desktop application allows users to stream and access data on the other supported devices by organizing photos, videos, and audios from online services as well as from the user’s library.
In a general manner, DDoS attacks are performed by swamping the targeted user with malicious network traffic which results in exhaustion of bandwidth and finally disruption of services taking the user offline. This malicious network traffic is brought from several devices that have been enclosed by a botnet for such purposes.
Similarly, a DDoS amplification attack takes place when the bad actor transmits a huge number of maliciously created requests to an external/third-party server, to which in response, the server sends a huge number of responded answers to the targeted user. All this is achieved by tricking the server to believe that the attacker is the victim sending the requests by spoofing the source IP address which results in traffic being transmitted to the victim’s network.
In this case, when the requests of attackers are answered, the resulting traffic is then routed to the targeted server instead of being transmitted to the attacker’s device.
Researchers from Netscout, in a blog post, stated, “Upon startup, Plex probes the local network using the G’Day Mate (GDM) network/service discovery protocol to locate other compatible media devices and streaming clients. It also appears to make use of SSDP probes to locate UPnP gateways on broadband internet access routers that have SSDP enabled. When a UPnP gateway is discovered via this methodology, Plex attempts to utilize NAT-PMP to instantiate dynamic NAT forwarding rules on the broadband internet access router.”
“When successful, this has the effect of exposing a Plex UPnP-enabled service registration responder to the general internet, where it can be abused to generate reflection/amplification DDoS attacks. To date, observed amplified PMSSDP DDoS attack traffic consists of SSDP HTTP/U responses sourced from UDP/32414 on abusable broadband internet access routers directed towards the attack target(s). Each amplified response packet ranges from 52 bytes – 281 bytes in size, for an average amplification factor of ~4.68:1,” researchers continued.
This makes the matter worse as researchers further said that they have identified almost 27,000 exploited servers over the web, till this time. Netscout researchers, under the collateral impact section, explained, “The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the internet. This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption.”
In order to overcome/avoid the attack, researchers suggested that the operators of the network should filter out the traffic which is being sent to the UDP/32414 and also should “disable SSDP on broadband internet access routers.”
Researchers from Netscout concluded by saying, “It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack, and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.”