Network Security, Network Security

DDoS attacks leverage Plex media server

Netscout is reporting a spate of distributed denial-of-service (DDoS) attacks leveraging a problematic engineering decision in the popular Plex media server. For companies that count many employees working from home, this can introduce risk to corporate networks.

Indeed, what should be evaluated among chief information security officers "is the security posture of the home environment," said Roland Dobbins, Netscout principal engineer, who authored the report. "That includes the broadband internet access router. They should check for SSDP as part of a security audit."

Plex allows users to access media from one device on other devices. It uses a protocol known as universal plug and play (UPnP) to allow systems on the same network to seek each other out and share files. UPnP relies on the simple service discovery protocol (SSDP).

This is where attackers have started to take advantage. Attackers have long known they can leverage exposed SSDP in amplification attacks. And they appear to be doing that now. Netscout has clocked attacks in the two to three gigabit per second range, which can be used on its own or as a component of multivector attacks, and can cause collateral drain on the broadband of the Plex users unknowingly involved.

If Plex users configure their broadband internet access router to access Plex remotely or if they unknowingly have a router set to allow SSDP by default, they are open to the attack.

"The typical lifecycle of these vectors is that someone discovers or rediscovers them, word gets out over what we call the digital underground, and they are eventually weaponized by DDoS-for-hire services," said Dobbins.

He added that attackers appear to be in that last phase, where the Plex vector has been weaponized for widespread use.

While three gigabits do not sound huge in an era where attacks cross the terabit threshold, it is still enough on its own to impact many targets. But Netscout reports seeing the Plex trick used in concert with other vectors for a much larger attack. The company estimates there are 27,000 mostly at home Plex users configured to allow this kind of amplification attack.

Reliance on UPnP and SSDP is an engineering decision, not a vulnerability. There is no indication that UPnP is installed incorrectly in Plex. Plex did not respond immediately to a request for comment.

But, said Dobbins, media servers could use architectures other than UPnP to provide similar functionality, like a central directory service.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.