Malicious people have found a way to use poorly secured Plex servers to amplify DDoS attacks. Plex is aware of the problem and is looking into possible solutions.

The attackers use the Plex servers for a phenomenon called DDoS amplification. Instead of directly bombarding a server with DDoS traffic, the attackers send some of the traffic to poorly secured Plex servers and fool the servers into thinking that different server is making a request. The Plex server then sends some data back to the server where the request appears to come from. In practice, this request comes from the attacker, who pretends it is a different service. This process causes the target server to be hit more than by a direct attack.

In itself, the amount of data returned by Plex servers is not very large: between 52 and 281 bytes. However, this is roughly a factor of 5 more than the packet sent to the Plex server. Combine this with the 27,000 poorly secured Plex servers that DDoS protection service Netscout has found, this is a good way to make a DDoS attack more powerful.

Plex working on a patch

Plex is aware of the problem. The company told Ars Technica that it was not informed of the problem beforehand, but that it is now actively working on a solution to the problem. The company primarily points its fingers to users who have not configured their firewalls properly, but Plex does not believe that the problem poses any privacy problems for end users. The company promises to release a patch soon that should provide additional security.

Port 32414

The firewall problem Plex is referring to is an open UDP port 32414. Plex uses this port for its protocol to automatically discover Plex devices in a network. However, in order for a Plex server to work over the Internet, only TCP port 32400 needs to be opened. Users are advised to check their router settings to see if port 32414 is open and if so, close it. Disabling UPnP is also adviced.

Private Netflix

Plex is a service that allows users to easily stream their own network library of movies, series and music to other devices. It can run on computers, but also on most nas systems. The Plex app is available for most TV systems, allowing the service to serve as a kind of private Netflix.

Remote Desktop

Plex is not the only DDoS amplifier that Netscout has recently stumbled upon. In January, the DDoS protection company announced that the Microsoft Remote Desktop Protocol could also be used to strengthen DDoS attacks. Here too, the advice is to close vulnerable ports on the router.

Tip: Cloudflare detects a new type of DDoS, inspired by an acoustic beat