DDoSers abuse the Plex Media Server to make assaults stronger


Getty Images

Distributed denial of service attackers have used a new vector to amplify the junk traffic they throw on targets to take them offline: end users or networks using the Plex Media Server.

DDoS enhancement is a technique that harnesses an intermediary's resources to increase the firepower of attacks. Instead of sending data directly to the target server, computers involved in an attack first send the data to a third party in the form of a request for a specific service. The third party then responds to the site with a much larger payload that the attackers want to remove.

So-called amplification attacks send requests from third-party providers that have been manipulated in such a way that they come from the target. When the third party responds, the responses go to the target, not the attacker device that sent the request. One of the most powerful amplifiers used in the past was the cached database caching system, which can be used to increase payload data by a factor of 51,000. Other amplifiers are misconfigured DNS servers and the Network Time Protocol, to name just three.

On Thursday, DDoS damage control service Netscout announced that DDoS-for-Hire services recently reached out to misconfigured Plex Media Servers to intensify their attacks. The Plex Media Server is software that allows users with other compatible devices to access the music, pictures, and videos that they have stored on a device. The software runs on Windows, MacOS and Linux.

In some cases, e.g. For example, if the server uses the Simple Service Discovery Protocol to find universal plug and play gateways on end users' broadband modems, the Plex service registration responder is exposed to the general Internet. The responses range from 52 bytes to 281 bytes and provide an average gain factor of around 5.


Netscout stated to have identified around 27,000 servers on the Internet that could be misused in this way. To differentiate itself from simple, straightforward vanilla DDoSes for the Simple Service Discovery Protocol, the company calls the new technology Plex Media SSDP or PMSSDP.

"The security impact of PMSSDP reflection / reinforcement attacks can be significant for broadband Internet access operators whose customers have accidentally exposed PMSSDP reflectors / amplifiers to the Internet," write Netscout researchers Roland Dobbins and Steinthor Bjarnason. "This can include a partial or complete interruption of the end customer's broadband Internet access as well as an additional interruption of the service due to the capacity consumption for access / distribution / aggregation / core / peering / transit connection."

In a statement, a Plex spokeswoman wrote:

The researchers who reported on this issue made no prior disclosure, but Plex is now aware of the issue and is actively working to address it. This problem appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device discovery ports from the public Internet to reach their servers. As we currently understand, an attacker is not allowed to compromise the device security or privacy of a Plex user. Plex is testing a simple patch that will add an extra layer of protection to servers that may have been accidentally exposed and will release it shortly.

The researchers said that extensive filtering of UDP data on port 32414 by network operators (not end users) has the potential to block legitimate traffic. Instead, the researchers said operators (again, not end users) should identify PMSSDP nodes on their network that could be misused as DDoS reflectors or amplifiers. The researchers also recommended ISPs to disable SSDP by default on the devices they make available to subscribers.

The forum section on contains these two threads which end users can read to best resolve the issue.

Updated post to add penultimate and final paragraph.


Steven Gregory