ASERT Threat Summary
Date/Time: February 7, 2020 2200UTC
Distribution: TLP: WHITE
Contributors: Ben Crowther, Ion Schiopu, Jon Belanger, Chris Conrad, Andrew Bartholomew.
Changes for Version 1.2 (February 7, 2020):
- Added information concerning new Plex Media Server (PMS) update which prevents PMS from being abused to launch reflection/amplification DDoS attacks
- Added link to Baidu Labs Chinese-language initial disclosure post.
Changes for Version 1.1 (February 6, 2020):
- Credited Baidu Labs with initial public disclosure
- Included Plex guidance on circumstances which could facilitate the potential abuse of Plex Media Server instances in reflection/amplification DDoS attacks, along with guidance on remediation
- Added observed use of source UDP port 32410 in PMSSDP reflection/amplification attacks
- Updated number of abusable PMSSDP reflectors/amplifiers
- Cited observed number of PMSSDP attacks observed to date, along with number of PMSSDP reflectors/amplifiers leveraged.
Plex Media Server is a personal media library and streaming system which runs on modern Windows, macOS, and Linux operating systems, along with variants customized for special-purpose platforms such as network-attached storage (NAS) devices, external RAID storage units, digital media players, etc.
Upon startup, Plex probes the local network using the G’Day Mate (GDM) network/service discovery protocol to locate other compatible media devices and streaming clients. It also appears to make use of SSDP probes to locate UPnP gateways on broadband Internet access routers which have SSDP enabled; when a UPnP gateway is discovered via this methodology, Plex attempts to utilize NAT-PMP to instantiate dynamic NAT forwarding rules on the broadband Internet access router.
On January 7, 2021 Baidu Labs, in a Chinese-language weblog post, described a UDP reflection/amplification DDoS attack vector leveraging Plex Media Server instances running versions of the Plex software prior to 1.21. In early February 2021, NETSCOUT Arbor were notified that reflection/amplification DDoS attacks which appeared to leverage abusable Plex Media Server instances were actively taking place on the public Internet.
According to an announcement published on Plex’s Web site on February 5, 2020 Plex Media Server instances which have either been deployed on a public-facing network DMZ or in an Internet Data Center (IDC), or with manually configured port-forwarding rules which forward specific UDP ports from the public Internet to devices running Plex Media Server, can potentially be abused as part of possible DDoS attacks.
These actions can have the effect of exposing a Plex UPnP-enabled service registration responder to the general Internet, where it can be abused to generate reflection/amplification DDoS attacks. In order to differentiate this particular attack vector from generic SSDP reflection/amplification, it has been designated as Plex Media SSDP (PMSSDP) reflection/amplification. To date, approximately 37,000 abusable PMSSDP reflectors/amplifiers have been identified on the public internet.
Amplified PMSSDP DDoS attack traffic consists of SSDP HTTP/U responses sourced from ports UDP port 32414 and/or UDP port 32410 on abusable Plex Media Server instances and directed towards attack target(s); each amplified response packet ranges from 52 bytes – 281 bytes in size, for an average amplification factor of ~4.68:1.
Observed single-vector PMSSDP reflection/amplification DDoS attacks range in size from ~2 Gbps – ~3 Gbps; multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps. As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population.
To date, more than 5,500 PMSSDP reflection/amplification DDoS attacks have been observed on the public Internet, leveraging approximately 15,000 distinct abusable PMSSDP reflectors/amplifiers.
It should be noted that a single-vector PMSSDP reflection/amplification attack of ~2 Gbps – ~3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services. The incidence of both single-vector and multi-/omni-vector reflection/amplification attacks leveraging PMSSDP has increased significantly since November of 2020, indicating its perceived utility to attackers.
The collateral impact of PMSSDP reflection/amplification attacks is potentially significant for broadband Internet access operators whose end-customers have inadvertently exposed PMSSDP reflectors/amplifiers to the public internet. This may include partial or full interruption of end-customer broadband Internet access, as well as additional service disruption due to access/distribution/aggregation/core/peering/transit link capacity consumption.
Wholesale filtering of all UDP port 32414- and/or UDP port 32410-sourced traffic by network operators may potentially overblock legitimate Internet traffic.
On February 7, 2020 Plex posted a hotfix update to Plex Media Server which prevents its abuse for the purpose of launching reflection/amplification DDoS attacks across the public Internet, as well as a new version of PMS which incorporates this remediation.
Collateral impact to abusable PMSSDP reflectors/amplifiers can alert network operators and/or end-customers to remove Plex Media Server instances from DMZ networks or IDCs, or to disable relevant UDP port-forwarding rules which forward specific UDP ports from the public Internet to devices running Plex Media Server, thereby preventing them from being abused in PMSSDP reflection/amplification attacks.
Prior to device remediation, quarantine of abusable end-customer nodes and/or filtering traffic directed towards UDP port 32414 and/or UDP port 32410 on abusable nodes only may also implemented, where feasible.
It is strongly recommended that operators of Plex Media Server instances implement the Plex-supplied hotfix as soon as is practicable, taking into account situationally appropriate best current practices (BCPs) with regards to pre-upgrade backups, testing and validation of new software updates and versions, etc.
Network operators should perform reconnaissance to identify and quarantine or remediate abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers. It is strongly recommended that SSDP be disabled by default on operator-supplied broadband Internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers.
All relevant network infrastructure, architectural and operational Best Current Practices (BCPs) should be implemented by network operators.
Organizations with business-critical public-facing Internet properties should ensure that all relevant network infrastructure, architectural and operational Best Current Practices (BCPs) have been implemented, including situationally specific network access policies which only permit Internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from Internet traffic to/from public-facing Internet properties and served via separate upstream Internet transit links.
DDoS defenses for all public-facing Internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan. Both organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.
It is imperative that organizations operating mission-critical public-facing Internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack, and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.
Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or ATAC may be consulted with regards to optimal countermeasure selection and employment.
Applicable NETSCOUT Arbor Solutions: Arbor Sightline, Arbor TMS, Arbor AED, Arbor Cloud
DDoS attack basic definitions can be found here.
ASERT Threat Summary: Plex Media SSDP (PMSSDP) Reflection/Amplification DDoS Attack Mitigation Recommendations – February 2021 – v1.2