Security Experts:

Connect with us

Hi, what are you looking for?



Plex Media Server Abused for DDoS Attacks

Malicious actors have been abusing Plex Media Server to amplify distributed denial-of-service (DDoS) attacks, according to application and network performance management company Netscout.

Malicious actors have been abusing Plex Media Server to amplify distributed denial-of-service (DDoS) attacks, according to application and network performance management company Netscout.

A popular personal media library and streaming solution, Plex Media Server can be used on Windows, macOS, and Linux systems, to stream content, including that from network-attached storage (NAS) devices, RAID storage, and the like.

Plex typically searches the local network for compatible media devices and streaming clients. The issue, NETSCOUT researchers explain, appears when, at launch, the application locates UPnP gateways on broadband Internet access routers with the Simple Service Discovery Protocol (SSDP) enabled.

Once it has identified an UPnP gateway, Plex attempts to set dynamic NAT forwarding rules on the router, which results in a Plex UPnP-enabled service registration responder becoming exposed to the Internet, thus enabling DDoS reflection and amplification.

To differentiate it from the typical SSDP reflection/amplification method, the new abuse technique has been called Plex Media SSDP (PMSSDP). More than 27,000 abusable PMSSDP reflectors/amplifiers were identified.

The amplified PMSSDP DDoS attack traffic that has been observed so far consists of SSDP HTTP/U responses on UDP port 32414. With the amplified response packet in the 52–281 bytes range, the average amplification factor is of approximately 4.68:1, the researchers explain.

“Observed single-vector PMSSDP reflection/amplification DDoS attacks to date range in size from ~2 Gbps – ~3 Gbps; multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps,” Netscout notes.

The researchers also warn that DDoS-for-hire services have added PMSSDP to their arsenal and say that both single- and multi-vector reflection/amplification attacks that abuse PMSSDP have increased in incidence since November of 2020.

The abuse of PMSSDP for DDoS reflection or amplification can also impact broadband Internet providers and their customers. Disabling SSDP on broadband Internet access routers should prevent abuse.

“Network operators should perform reconnaissance to identify abusable PMSSDP reflectors/amplifiers on their networks and/or the networks of their customers. It is strongly recommended that SSDP be disabled by default on operator-supplied broadband internet access CPE, and that guidance on disabling SSDP on common CPE makes/models be supplied to end-customers,” NETSCOUT says.

NETSCOUT did not warn Plex of the issue prior to public disclosure, but the company is now preparing a simple patch to increase the protection of accidentally exposed servers, a Plex spokesperson told SecurityWeek via email.

“This issue appears to be limited to a small number of media server owners who have misconfigured their firewalls by allowing UDP traffic on device-discovery ports from the public internet to reach their servers, and our current understanding is that it does not allow an attacker to compromise any Plex user’s device security or privacy,” the spokesperson added.

*Updated with comment from Plex

Related: NXNSAttack: New DNS Vulnerability Allows Big DDoS Attacks

Related: SSDP Diffraction Abused for DDoS Amplification

Related: Thousands of Unprotected RDP Servers Can Be Abused for DDoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.