Plex Media Servers Are Being Abused For DDoS Attacks (zdnet.com) 15
DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks, security firm Netscout said in an alert this week. From a report: The company's alert warns owners of devices that ship with Plex Media Server, a web application for Windows, Mac, and Linux that's usually used for video or audio streaming and multimedia asset management. The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices. Netscout says that when a server/device running a Plex Media Server app is booted and connected to a network, it will start a local scan for other compatible devices via the Simple Service Discovery Protocol (SSDP). The problem comes when a Plex Media Server discovers a local router that has SSDP support enabled. When this happens, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414. Since the SSDP protocol has been known for years to be a perfect vector to amplify the size of a DDoS attack, this makes Plex Media servers a juicy and untapped source of DDoS bots for DDoS-for-hire operations.
It's GDM setting.... (Score:5, Informative)
Re:It's GDM setting.... (Score:5, Informative)
This caught my attention and I was concerned since I have a plex server with port 32400 open to the internet. Annoyingly, the ars and Slashdot don't explain the actual plex setting to disable. It's GDM, and anyone with half a brain would disable that anyhow.
And for those who don't know where that setting is, it's under "Network" (learn from my mistake and don't go hunting for it in "Remote Access" instead!). You'll also need to show advanced settings for it to show up.
Re: (Score:1)
Re: (Score:2)
It's not GDM, it's SSDP. When I saw just the title of the post I thought "I bet it's UPnP, or failing that SSDP". Sure enough....
Whenever you get anything networked of any kind, the first thing you do is turn off UPnP, SSDP, and similar. Without that, you're basically sitting on the Internet with a passwordless root login over telnet enabled.
I remember when it was harder to do stupid stuff (Score:4, Interesting)
Now, it's automatic!
Re: (Score:3)
That, and "stupid" is the new "smart". Because people that actually know what they are doing are expensive.
No problem (Score:2)
Just give me the patch and I'll apply it and re-compile...er...where's the source code for this doohicky?
The report is not accurate (Score:5, Informative)
The Plex Media Server DOES NOT add a NAT forwarding rule for UDP traffic; only for TCP traffic to port 32400.
I should know, I wrote the code.
Re: The report is not accurate (Score:2)
Re: (Score:3)
And I’m once again reminded why I done to Slashdot.
Thanks not only for your comment, but also for your work on an incredible service that my family uses literally every day.
Re: (Score:1)
you're very kind, thank you so much!
Re: (Score:2)
“come”, not “done”. Not sure how autocorrect managed that one...
Poorly documented and kind of meh... (Score:2)
TFA is pretty thin on details and even the link from the threat summary is lacking some essentials.
So, what's the story: assuming you have an exposed Plex (or if you let it forward the useless UDP port on NAT devices) you get an internet exposed service that can respond with larger packets to a (presumably source-spoofed) smaller packet. They mention an amplification factor of 4.68 but it isn't clear if there's other throttling possible (will this service answer with 10 packets/s? 1000? 1000000?).
Note that