If you like to make your own “NetflixOr “Spotify” of the many DVDs and CDs you have around, Plex is one of the best and most beautiful options you can choose. But, as security company Netscout revealed, your Plex Media Server may already be a resource in the next powerful DDOS attack.
A Distributed Denial of Service (DDOS) attack works by flooding a site or service with traffic. The overwhelming wave can bring down a service that is not prepared for the traffic wave. One of the main reasons DDOS attacks are not more common than they already are is that bad actors need the resources to send all that traffic.
When they send requests to the vulnerable server, it will respond with a response. This is important because the “response” often consists of more data than the original request. Hackers then trick the vulnerable server into sending that response to its intended target – that is, they make it appear as if the request is coming from the site the hacker wants to disable. Thus, a small amount of traffic is amplified into a huge amount of traffic, making the DDOS attack more powerful.
According to Netscout, hackers have switched to looping through Plex Media servers in this process. By default, when you set up a Plex Media Server, it uses the GDM (G’Day Mate) protocol to discover other devices on your network that are compatible with Plex.
If that scan finds that your router has Universal Plug and Play (UPNP) and Service Discovery Protocol (SDDP), your router will be automatically configured for remote access. That’s a convenience factor that allows you to watch your Plex content even when you’re away from home.
But unfortunately, that convenience also acts as a vulnerability – it makes Plex servers a predictable target for the DDOS attack. The hacker sends a small request (about 52 bytes) through the port created by Plex to your server. The server responds with a data packet of about 281 bytes, nearly five the size of the original attack.
According to Netscout, the evidence discovered that hackers were already exploiting the vulnerability since November. When the security company scanned the internet, it discovered more than 27,000 Plex Media Servers open to attack.
We’ve reached out to Plex for comment, but haven’t heard anything yet. On Plex’s forums, an employee responded to a thread suggesting changing the default port settings to mitigate the attack:
We are aware of the reports and are investigating them further. We have not been notified of this in advance, so we do not have more information than the rest of you at this point. Changing ports can be a limitation, but it is certainly secured by ambiguity. We will update the forums when we know more.
According to the employee, Netscout did not disclose the information sufficiently to Plex before the report was published. And changing your default port might mitigate the problem, but hackers can probably modify their attack to accommodate that action. Right now, the only viable solution is to disable SDDP on your router and remote play on your Plex server. But you will lose one of Plex’s best features in the process.
We’ll update this post when we hear from Plex about a permanent fix that retains remote play features.
Source: Netscout via ZDNet