Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

News

Home  >  News  >  Vulnerabilities  >  Plex Media Server abused in DDOS Attacks
NextPrevious

Plex Media Server abused in DDOS Attacks

News, Vulnerabilities | 12 February, 2021 | 0

Contents

  • 1 37,000 Plex Media servers exposed to the internet are being abused in DDOS attacks according to a new security report.
  • 2 What is a DDOS Attack?
  • 3 How is Plex used in DDOS Attacks?
  • 4 Mitigation

37,000 Plex Media servers exposed to the internet are being abused in DDOS attacks according to a new security report.

Plex Media Server is a personal media library and streaming platform available on Windows, Mac and Linux platforms.  One of the attractions of Plex is the ability to stream your local media library to remote locations by exposing the Plex software onto the internet. This would, for example, enable movies to be watched while at work from your home media library.

When started, the Plex software probes the local network to identify possible streaming clients and compatible media devices. If it can locate the network router using SSDP (Simple Service Discover Protocol) it will also attempt to configure its UPnP gateway to route certain incoming traffic to the Plex server. Plex posted a notice in February that this configuration is open to abuse in DDOS attacks.  The Plex software itself and its local network are not at risk, however it can be leveraged in order to attack a third party through a reflection DDOS attack.

What is a DDOS Attack?

DDOS – Distributed Denial of Service attack – is a malicious attack designed to take the target system or website offline, usually by sending a huge volume of traffic that overwhelms the server.  To generate the large volume of traffic needed to swamp the target, many different devices are co-opted into generating the attack – hence the ‘distributed’ moniker. The devices used to generate the attack are usually botnets or networks of devices infected with malware and the owner is unaware of their part in the attack.

DDOS attacks can be used as part of a ransom strategy where the attacker demands payment to stop the ongoing attack.

One of the techniques used to generate the large volume of network traffic needed in the attack is called reflection/amplification.  This approach abuses legitimate network protocols that send larger responses to small requests. Thus, the attacker can transmit a small amount of data and receive a larger amount of network traffic in response – the amount of network traffic has been amplified. By spoofing the source IP in their request, the attacker can cause the response data to be sent to a different system – the target of the attack – hence the reflection.  For example, the attacker device sends a 256-byte request to a system that’s part of the DDOS network (the reflector) and spoofs the source IP address, so it appears to come from a third device – the innocent target of the attack. The reflector innocently and correctly responds to the request and sends its larger response (4 kilobytes) to the target.  Since there are, say, 1000 devices in the DDOS botnet, the target is swamped with 4,000k of consistent network traffic.  The incoming DDOS traffic is from 1000 different IP addresses and so is hard to track or block by the firewall or network load balancers.  It is not uncommon for DDOS attacks to deliver Gigabytes of data each second against their target.

How is Plex used in DDOS Attacks?

The exposed ports that Plex opens on the NAT router make it vulnerable to be abused as a reflector in DDOS reflector/amplification attacks. The exposed SSDP port can be probed using a UDP request that generates a response about 450% larger. With UDP the source IP address is easily spoof-able meaning the SSDP response can be reflected to another target.

Mitigation

Plex has posted a security updated and a new software version which now only responds to UDP requests from the local LAN, and ignores traffic from the public internet (WAN).

SSDP is designed for use in residential or small office networks and should normally not be exposed to the Internet.

Reviewing your firewall rules and other enabled protocols to disable all those not required will reduce the attack surface of your network.  Regular security scans and external network penetration tests will ensure you identify any open ports which can be abused by attackers.

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security news, DDoS

Related Post

  • AWS deflects largest every DDoS

    By Mark Faithfull

    Amazon Web Services has revealed that in May 2020 it deflected the largest ever recorded DDoS attack. The previous largest Distributed Denial of Service (DDoS) attack had been against GitHub in 2018 which was measuredRead more

  • Rockwell Automation Critical Vulnerability in PLC

    By Mark Faithfull

    Programmable Logic Controllers manage industrial systems of all kinds, from oil rigs to vaccine production and one of the leading manufacturers of PLC is Rockwell Automation. A bad-as-it-gets (CVSS 10) vulnerability has been discovered thatRead more

  • Exchange 0-day exploits need patching today

    By Mark Faithfull

    Microsoft has published details and out of cycle patches for several 0-day Exchange exploits under active attack. Microsoft Security Response Center advises: Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affectedRead more

  • Hackers attempt to Poison Water Supply

    By Mark Faithfull

    A hacker tried to poison the water supply in Oldsmar, Florida by dumping caustic soda into the water by adjusting the SCADA system in control of the water treatment plant. On Friday 5th February, anRead more

  • What is the Nat Slipstreaming2.0 Attack?

    By Mark Faithfull

    The NAT Slipstreaming2.0 attack exploits the standard support for VOIP routing in NAT routers/firewalls to expose all devices on the internal network to attack from the internet. A new variant of the NAT Slipstreaming attackRead more

NextPrevious

Recent Posts

  • Rockwell Automation Critical Vulnerability in PLC
  • Exchange 0-day exploits need patching today
  • What is a pass the hash attack?
  • VMware patches critical RCE in vCenter Server
  • What is a dependency confusion attack?

Tags

Android Apple Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DDoS DNS Exchange Server exim fileless formjacking GDPR Intel IoT Linux MacOS Meltdown microsoft ncsc patching penetration testing phishing ransomware RDP security breach Security operations security testing SIEM software development Spectre supply chain attacks Sysinternals Tomcat TPM Unix vulnerability management web applications web browsers wireless

Archives

  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam