NETSCOUT detects new vulnerability in Plex Media Server
February 2021 by NETSCOUT
NETSCOUT’s ASERT team is revealing it has identified a new vulnerability in Plex Media Server, the popular personal media library and streaming system. Plex offers free TV shows and films from distributors such as MGM and Warner Bros., and has recently made moves into the video games market, offering a retro games streaming subscription and partnering with Parsec.
Plex Media Server is a personal media library and streaming system which runs on modern Windows, macOS, and Linux operating systems, along with variants customised for special-purpose platforms such as network-attached storage (NAS) devices, external RAID storage units, digital media players, etc.
Upon startup, Plex probes the local network using the G’Day Mate (GDM) network/service discovery protocol to locate other compatible media devices and streaming clients. It also appears to make use of SSDP probes to locate UPnP gateways on broadband Internet access routers which have SSDP enabled; when a UPnP gateway is discovered via this methodology, Plex attempts to utilise NAT-PMP to instantiate dynamic NAT forwarding rules on the broadband Internet access router.
When successful, this has the effect of exposing a Plex UPnP-enabled service registration responder to the general Internet, where it can be abused to generate reflection/amplification DDoS attacks. To date, observed amplified PMSSDP DDoS attack traffic consists of SSDP HTTP/U responses sourced from UDP/32414 on abusable broadband Internet access routers directed towards the attack target(s); each amplified response packet ranges from 52 bytes – 281 bytes in size, for an average amplification factor of 4.68:1.
In order to differentiate this particular reflection/amplification DDoS attack vector from generic SSDP reflection/amplification, it has been designated as Plex Media SSDP (PMSSDP) reflection/amplification. Approximately 27,000 abusable PMSSDP reflectors/amplifiers have been identified, to date.
Observed single-vector PMSSDP reflection/amplification DDoS attacks to date range in size from 2 Gbps – 3 Gbps; multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps. As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponised and added to the arsenals of so-called ‘booter/stresser’ DDoS-for-hire services, placing it within the reach of the general attacker population.
It should be noted that a single-vector PMSSDP reflection/amplification attack of 2 Gbps – 3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services. The incidence of both single-vector and multi-/omni-vector reflection/amplification attacks leveraging PMSSDP has increased significantly since November of 2020, indicating its perceived utility to attackers.
The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband Internet access operators whose customers have inadvertently exposed PMSSDP reflectors/amplifiers to the Internet. This may include partial or full interruption of end-customer broadband Internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption. Wholesale filtering of all UDP/32414-sourced traffic by network operators may potentially overblock legitimate Internet traffic.
Collateral impact to abusable PMSSDP reflectors/amplifiers can alert network operators and/or end-customers to disable SSDP on broadband Internet access routers, thereby preventing them from being utilised in PMSSDP reflection/amplification attacks. Prior to device remediation, quarantine of abusable end-customer nodes and/or filtering traffic directed towards UDP/32414 on abusable nodes only may also implemented, where feasible.
Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers. It is strongly recommended that SSDP be disabled by default on operator-supplied broadband Internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers.
All relevant network infrastructure, architectural and operational Best Current Practices (BCPs) should be implemented by network operators.
Organisations with business-critical public-facing Internet properties should ensure that all relevant network infrastructure, architectural and operational Best Current Practices (BCPs) have been implemented, including situationally specific network access policies which only permit Internet traffic via required IP protocols and ports. Internet access network traffic from internal organisational personnel should be deconflated from Internet traffic to/from public-facing Internet properties and served via separate upstream Internet transit links.
DDoS defences for all public-facing Internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organisation’s servers/services/applications are incorporated into its DDoS defence plan. Both organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.
It is imperative that organisations operating mission-critical public-facing Internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack, and are included in periodic, realistic tests of the organisation’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.
Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or ATAC may be consulted with regards to optimal countermeasure selection and employment.