Updated: Plex Media Servers Unwittingly Being Used In Amplified DDoS Attacks Warns Security Firm

plex tv hero
Plex is a widely popular platform that allows you to curate all your media on a home server and stream it either within your home or over the internet to other PCs, Macs, smartphones, or tablets. Over the years, Plex has grown to include features like Live TV, podcasts, and even retro gaming to broaden its appeal to everyday users.

However, the company's central user-facing Plex Media Server, which is accessed via a web interface on multiple platforms (including Windows and macOS), is reportedly being used to aid in distributed denial of service (DDoS) attacks according to a security bulletin from Netscout. Plex Media Server uses the G’Day Mate (GDM) network/service discovery protocol to initially find other compatible media/streaming devices on your local network.

If your router is Simple Service Discovery Protocol (SSDP) enabled, Plex Media Server will attempt to use Universal Plug and Play (UPnP) to enable dynamic NAT forwarding. This allows the Plex Media SSDDP service access to the internet so, for example, you could use your iPad Pro with cellular connectivity to access your home Plex Media Server to play your old Friends reruns while on the other side of the United States.

However, Plex's UPnP service gives direct access to the internet, which makes it a prime victim for a reflection/amplification DDoS attack vector using UDP port 32414. Plex Media Servers are used to amplify PMSSDP packets by a factor of roughly 4.68, with single-vector PMSSDP DDoS attacks delivering between 2 Gbps to 3 Gbps of traffic. With a multi-factor attack, traffic could elevate to 218 Gbps.

"PMSSDP has been weaponized and added to the arsenals of so-called ‘booter/stresser’ DDoS-for-hire services, placing it within the reach of the general attacker population," writes Netscout. "It should be noted that a single-vector PMSSDP reflection/amplification attack of ~2 Gbps – ~3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services."

According to Netscout, upwards of 27,000 Plex Media Servers have been used for amplification DDoS attacks to-date. Netscout is recommending that customers disable SSDP and that network operators disable SSDP by default.

Updated 2/5/2021 at 2:23pm
We just received this statement from Plex regarding the security issue:

The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it. This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user's device security or privacy. Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.