430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers abuse Plex Media servers for DDoS amplification attacks

Netscout experts warn of DDoS-for-hire services abusing Plex Media servers to bounce junk traffic and amplify DDoS attacks. Security researchers from Netscout discovered DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks. Plex Media Server is a personal media library and streaming system […]

DDoS Aisuru botnet

Netscout experts warn of DDoS-for-hire services abusing Plex Media servers to bounce junk traffic and amplify DDoS attacks.

Security researchers from Netscout discovered DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks.

Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems. Plex Media Server is also used in network-attached storage (NAS) devices, external RAID storage units, digital media players, and so on.

Upon startup, systems running the Plex Media Server app is will start scanning the local network for other UPnP gateways on broadband internet access routers via the Simple Service Discovery Protocol (SSDP).

Upon finding a local router with SSDP support enabled, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service online through the UDP port 32414.

The servers exposed online could be abused to reflect/amplify DDoS attacks each response packet ranges from 52 bytes – 281 bytes in size, allowing the attacker to obtain an average amplification factor of ~4.68:1.

“In order to differentiate this particular reflection/amplification DDoS attack vector from generic SSDP reflection/amplification, it has been designated as Plex Media SSDP (PMSSDP) reflection/amplification. Approximately 27,000 abusable PMSSDP reflectors/amplifiers have been identified, to date.” reads the advisory published by Netscout.

“Observed single-vector PMSSDP reflection/amplification DDoS attacks to date range in size from ~2 Gbps – ~3 Gbps; multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps.”

In a real attack scenario, hackers only have to scan the internet for devices with the UDP port 32414 enabled.

Netscout researchers found 27,000 Plex Media servers left exposed online that could be abused for DDoS attacks. Experts pointed out that some of these servers have already been abused in attacks in the wild, unfortunately, this attack technique is becoming common, especially for DDoS-for-hire services.

“The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the internet. This may include partial or full interruption of end-customer broadband internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption.” concludes the report.

“Wholesale filtering of all UDP/32414-sourced traffic by network operators may potentially overblock legitimate internet traffic.” 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Plex Media)

[adrotate banner=”5″]

[adrotate banner=”13″]