The Bleeping Computer reported this week that threat actors are using Plex Media Server to execute and amplify Distributed Denial of Service or DDoS attacks across the globe.
What is Plex Media Server?
Plex is a popular media server that you can use on Windows, Linux, and Mac, as well as mobile devices to stream your own content (movies, pictures, songs) or content from other sources.
You can install Plex Media Server on your computer and play movies, songs, or other media from an external hard drive to your Roku or other streaming devices. You can use the free version forever or pay for a subscription that allows you to play content from services like Warner Brothers, Crackle, Lionsgate, MGM, and more. You can even watch live TV on Plex.
Plex has a strong cult following and a well-supported forum for questions and answers when setting up and configuring your server.
What is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack is a malicious tactic used by hackers to disrupt the normal flow of internet traffic to a web server or network by overwhelming it with a flood of unexpected traffic.
Often threat actors use compromised computers, IoT devices, or other networked (internet-connected) machines to carry out these attacks. They do this by infecting the computers or devices with malware meant to perform specific tasks. This new network of exploited devices is often referred to as a botnet. Essentially each infected machine becomes a bot capable of carrying out commands from the malicious hacker. Once the server becomes overwhelmed, it refuses normal traffic, which is where the “denial of service” comes in.
Because hackers use hijacked legitimate equipment to carry out these types of attacks, they are difficult to trace back to their origins and catch the culprits responsible.
How are Hackers Using Plex to Perform Attacks?
To use Plex outside your home network, you need to allow specific ports. according to the Bleeping Computer “amplified PMSSDP, DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers’ targets.”
The publication went onto explain, “’The total number of attacks from Jan 1, 2020, to present day, clocked in at approximately 5,700 (compared to the more than 11 million attacks in total we saw during the same time frame),’ Richard Hummel, Manager of Threat Intelligence at Netscout told BleepingComputer in an email interview.”
“‘We’ve seen its use as far back as November when activity ramped up, but most of the time, we see its use is in multi-vector attacks rather than as a primary vector, which can result in some uncertainty in finding an exact day it began to be used,’ Hummel said when asked of the first time PMSSDP was observed as a DDoS attack amplification vector.”
How to Protect Your Plex Media Server
The best way to keep your Plex server protected is not to modify your router to allow any traffic on the Plex suggested ports. Another option, according to the Bleeping Computer, is for “SSDP to be disabled. You can filter traffic on UDP/32414. However, it may not allow the connections that you need.
For those users who need to allow these ports on their router, they should “perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers.”
Threat researchers told the Bleeping Computer that “it was found that the version of Plex used to attack was less than version 1.21, so it can be inferred that version 1.21 of Plex released in late January this year has fixed this problem.”