to whom it may concern:
Netscout (Arbor) has just published a blog post in which they show / explain / claim how SSDP on the WAN port of a Plex Media Server that uses uPNP/NAT-PNP to expose its port to the internet, can be used to reflect+amplify a dDoS attack.
(the attacker sending a forged packet to your plex server, the resulting answer will be sent to the (forged) source IP > the target of the attack)
suggested action: Filter incoming SSDP packets / do not use uPNP /NAT-PNP to expose plex to the internet. (most home routers do)
We are aware of the reports and are investigating it closer. We where not made aware of this in advanced so we donât have more information than the rest of you right now. Changing ports might be a mitigation - but itâs certainly security by obscurity. We will update the forums when we know more.
So what does anyone recommend or suggest gets checked to prevent a server from being exposed like this? The power of a server is sharing with family, not like everyone should just air gap the servers and never let family members at home use the service>!
The main point is to use a manually created port forwarding.
Changing the public port number away from the default 32400 is something Iâd do in any case. But it doesnât have directly to do with the above DDoS technique.
If you use Plex server on an exposed host
(i.e. you added the plex server device into the âdemilitarized zone (DMZ)â in your router configuration)
or you run it on a machine with a public IP address (i.e. put a Plex server machine into a data center or onto a VPS),
you must close all external port numbers in your firewall configuration,
except the one which is defined as the external port number for Plex (see the above screenshots).
And only let âTCPâ traffic through.
Drop any âUDPâ traffic to Plex server.
If you donât know what the above means: donât operate a server on a publicly connected machine before you get help from a network expert to configure the firewall.
Difficult to disclose what was - until moments ago - a total mystery⊠I suppose.
Having zero confidence in Plex is what was behind my forwarding of a âNon-Standardâ public port those many years ago in a move that, to me - a network idiot - seemed like the right thing to do.
Security by Obscurity? Sure, why not? I was forwarding a port anyway. Might as well forward a different one than every bad guy on Earth knew about, was network idiot logic <âthe logic I have.
It is one of the ports which is used by Plex server and Plex clients to find Plex servers and other clients in the local network. Internally called âGDMâ from âgood day, mate!â
It is only supposed to be open on a private network, never on the internet.
It doesnât need a datacenter.
Too often I read in these forums that people are putting their PMS machine into the DMZ, usually out of desperation in an attempt to get remote access working.
Sometimes they even get the explicit recommendation by other users to do so.
This was never recommended by Plex, and I can only advise everyone to avoid that. It moves your server machine out of the protection of your routerâs firewall.
Yes, a network expert can configure a machine so it is also relatively safe when exposed in a DMZ. But how many Plex users are actual network experts?
No, because these devices connect directly to the server and donât take the public route (unless there is a configuration problem.)
But even then, they will ask plex.tv for the domain name and the port number of the server.
This is all handled automatically, unless you have defined a âcustom server access URLâ (which you only need to do in special cases).
Would someone be able to advise to a beginner what I need to do as simple mitigation until there is a code fix?
Ideally using simple terms/language. Iâm semi technically literate but a beginner in terms of network setup etc. So Iâm pretty sure my own PMS is running the default
I have mine on a random port and my firewall only allows TCP traffic on this port. I was recently trying to geo restrict to only allow valid Plex traffic in. I was going through the Plex logs and trying to see where the Plex servers are located, but I gave up after a while. I had 8 or 9 countries allowed but I was still having valid packets not getting through. Is there a definitive list of the countries where Plex are running servers to limit traffic just to those?
Sorry, I am not able to tell you the implementation details.
