If you like the idea of creating your own “Netflix” or “Spotify” from the many DVDs and CDs you have lying around, Plex is one of the best and most beautiful options you can choose. But, as security firm Netscout revealed, your Plex Media Server may already be a tool in the next powerful DDOS attack.
Update: Shortly after publish, Plex Spokesperson Carm Lyman gave this statement:
The researchers who reported on this issue did not provide any prior disclosure, but Plex is now aware of the problem and is actively working on addressing it. This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user’s device security or privacy. Plex is testing a simple patch that adds an extra layer of protection for those servers that may have been accidentally exposed and will release it shortly.
We’ll update this article as soon as the patch is available.
Second update: the patch is now available. Plex included the following note about the fix:
“(Security) Mitigate against potential DDoS amplification by only responding to UDP requests from LAN.”
A Distributed Denial of Service (DDOS) attack works by flooding a site or service with traffic. The overwhelming surge can bring down a service unprepared to handle the wave of traffic. One of the main reasons DDOS attacks aren’t more common than they already are is bad actors need the resources to send all that traffic.
That’s where Plex Media Servers come into play. Hackers are using vulnerable Plex Media Servers to amplify what would otherwise be a weak DDOS attack into a powerful DDOS attack. The idea isn’t a new one: instead of sending the small amount of traffic bad actors can manage on their own directly at their final target, they direct it to vulnerable servers.
When they send requests to the vulnerable server, it will respond with an answer. That’s important because the “answer” often amounts to a larger amount of data than the original request. Hackers then trick the vulnerable server into sending that answer to the intended target—that is, they make it seem as though the request originated from the site the hacker wants to bring down. Thus a small amount of traffic gets amplified into a huge amount of traffic, making the DDOS attack more powerful.
According to Netscout, hackers have turned to looping Plex Media servers into this process. By default, when you set up a Plex Media Server, it uses the GDM (G’Day Mate) protocol to discover other devices on your network compatible with Plex.
During that scan, if it discovers your router has UPNP (Universal Plug and Play) and SDDP (Service Discovery Protocol), it will automatically configure your router for remote access. That’s a convenience factor that will let you watch your Plex content even when you’re away from home.
But unfortunately, that convenience doubles as a vulnerability—it makes Plex servers a predictable target for the DDOS attack. The hacker sends a small request (about 52 bytes) over the port Plex created to your server. The server responds with a data packet around 281 bytes, nearly five as large as the originating attack.
According to Netscout, it discovered evidence that hackers already took advantage of the vulnerability and have been since November. When the security firm scanned the internet, it found over 27,000 Plex Media Servers open for attack.
We contacted Plex for comment but haven’t heard back yet. Over at Plex’s forums, an employee did respond to a thread suggesting changing default port settings to mitigate the attack:
We are aware of the reports and are investigating it closer. We where not made aware of this in advanced so we don’t have more information than the rest of you right now. Changing ports might be a mitigation – but it’s certainly security by obscurity. We will update the forums when we know more.
According to the employee, Netscout didn’t adequately disclose the information to Plex before publishing the report. And changing your default port might mitigate the problem, but hackers could likely adapt their attack to account for that action. Right now, the only viable solution is to disable SDDP on your router and remote play on your Plex Server. But you’ll lose one of Plex’s best features in the process.
We’ll update this post if we hear back from Plex about a permanent fix that maintains remote play features.