Botnet discovered exploiting Plex Media Server where users have forwarding setup incorrectly

[Master Disaster]

A new botnet which was first noticed back in November 2020 has just been published by security researchers.

 

Its a pretty sophisticated attack vector, essentially the botnet exploits a feature of UDP packets which allows the return packet to be redirected to a different recipient (SSDP).

Quote

Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.

 

Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more.

 

Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers' targets.

 

This junk traffic reflected onto victims' servers is sourced from Simple Service Discovery Protocol (SSDP) probes sent by Plex through the G’Day Mate (GDM) protocol for local network service discovery.

The server machine only needs to send one packet out and each member machine will then send multiple packets out to the target at a ratio of 4.6 to 1.

Quote

Attacks abusing this UDP reflection/amplification attack vector by targeting PMSSDP reflectors/amplifiers on the UDP/32414 port have an amplification ratio of ~4.68:1 and peak at ~3 Gbps.

 

However, as Netscout said, "multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps."

 

Attackers can exploit roughly 27,000 exposed devices running Plex Media Server to amplify and reflect DDoS traffic onto their targets systems.

 

"It should be noted that a single-vector PMSSDP reflection/amplification attack of ~2 Gbps – ~3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services," Netscout added.

 

"The incidence of both single-vector and multi-/omni-vector reflection/amplification attacks leveraging PMSSDP has increased significantly since November of 2020, indicating its perceived utility to attackers."

The creators of the botnet are now offering it as a DDoS for hire service.

Quote

As it regularly happens with newer DDoS attack vectors, PMSSDP has also been weaponized and is now actively used by booter/stresser DDoS-for-hire services.

 

These platforms are regularly used by pranksters or threat actors without the skills or time to invest in establishing their own DDoS attack infrastructure.

 

Booters' services are rented to launch large-scale DDoS attacks targeting servers or sites to trigger a denial of service that usually brings them down or disrupts online services.

Plex have responded by telling all its users to update PMS as soon as possible and confirmed the issue stems from users having their firewalls configured to forward the UDP port to the internet when its intended use is as a local discovery service.

 

Not mentioned in the article but Plex have also said under normal use with UPNP this port would never be forwarded by Plex, this is something you'd have to do yourself.

Quote

The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it. This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user's device security or privacy. Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.

Source - https://www.bleepingcomputer.com/news/security/plex-media-servers-actively-abused-to-amplify-ddos-attacks/

 

This doesn't surprise me. The amount of people who blindly forward every port listed as used by PMS is staggering. You only need to forward one single port to the internet for external Plex access and with UPNP even that's not something you need to do manually.

 

As usual it comes down to ignorance or laziness.

 

For me personally I have UPNP off and I only forward ports myself manually.

[Quackers101]

Which is why I don't want to deal with ports, until I know how one can set this up correctly without being a mess?

"from exposed broadband Internet access routers" oh?

[Loote]

Quote

 

G’Day Mate (GDM) protocol

 

Their own protocol, eh?
Imma update my PMS.

[rockking1379]

Looks like it’s time to fire up vpn and get some updates done

[Spindel]

Wait so my set up is safe since I use UPnP?

 

UPnP has its own issues, but I’ve been to lazy to forward pprts myself

[Master Disaster]

26 minutes ago, Spindel said:

Wait so my set up is safe since I use UPnP?

 

UPnP has its own issues, but I’ve been to lazy to forward pprts myself

Yes, you're fine using UPNP.

 

The issue comes from the Plex Forums listing all the ports that PMS uses, including internal services. Lots of people don't understand what this means so they forward everything to the internet when the services are designed to be scanning the internal network for other devices.

 

The only port you need to forward out is 32400 TCP and PMS will only ever ask the router to forward this port using UPNP. The affected service (called GDM) runs on 32410 UDP, to be affected you need to create a forwarding rule to this port manually.