Operators of DDoS-for-hire services have found a new method to amplify junk traffic sent to their victims during attacks. According to the network monitoring firm Netscout, cybercriminals are now taking advantage of Plex Media Server, a media library and streaming system that runs on a variety of platforms, including Windows, macOS, and Linux as well as on such hardware as NAS devices, RAID units, and digital media players.
Typically, Plex scans a local network using the G’Day Mate (GDM) network/service discovery protocol in order to find other compatible media devices and streaming clients. It also uses Simple Service Discovery Protocol (SSDP) probes to track down Universal Plug and Play (UPnP) gateways on broadband internet routers that have SSDP enabled. Upon finding a UPnP gateway Plex attempts to utilize NAT-PMP to add dynamic NAT forwarding rules on the broadband Internet access router exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.
According to Netscout, this method doesn’t require the attackers to log into a Plex server, they only have to scan the internet for Plex Media Server instances with UDP port 32414 and/or UDP port 32410 enabled and then exploit them to send amplified traffic to targets. The firm said that each amplified response packet ranges from 52 bytes – 281 bytes in size, for an average amplification factor of ~4.68:1.
“Observed single-vector PMSSDP reflection/amplification DDoS attacks range in size from ~2 Gbps – ~3 Gbps; multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps. As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” the researchers said.
Netscout said it identified nearly 37,000 abusable PMSSDP reflectors/amplifiers. Furthermore, “more than 5,500 PMSSDP reflection/amplification DDoS attacks have been observed on the public Internet, leveraging approximately 15,000 distinct abusable PMSSDP reflectors/amplifiers.”
The security firm recommends network operators to scan for vulnerable PMSSDP reflectors/amplifiers on their networks and the networks of their customers. Operators should disable SSDP by default on their broadband internet access equipment and provide customers with the guidance for disabling it on their end as well.
“Organizations with business-critical public-facing Internet properties should ensure that all relevant network infrastructure, architectural and operational Best Current Practices (BCPs) have been implemented, including situationally-specific network access policies which only permit Internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from Internet traffic to/from public-facing Internet properties and served via separate upstream Internet transit links,” Netscout said.