[ZoomEye Report] Nearly 40,000 Plex services around the world may be used for reflective DDos attacks
On January 7, 2021, Baidu Security Lab issued an early warning saying that a DDoS reflection attack initiated by the network service of Plex (media playback platform) was captured in January 2021 
According to the article of Baidu Security Lab, the hacker used the DDoS reflection attack based on the Plex service (UDP port 32414) in this attack, and it is found that Plex’s two UDP port(32414 and 32410) accesses can be used for reflection amplification attacks.
After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21, so it can be inferred that version 1.21 of Plex released in late January this year has fixed this problem (although no relevant information has been seen in the plex official Security bulletin)
Send the string “M-SEARCH * HTTP/1.1” to UDP port 32414 or 32410 through nc and the following response data:
╰─$echo “M-SEARCH * HTTP/1.1” | nc -u x.x.x.x 32410
HTTP/1.0 200 OK
So we used ZoomEye to conduct surveying and mapping for UDP ports 32414 and 32410, and the results are as follows:
ZoomEye Dork: service:“plex-media-server” and about 72,968 results in ZoomEye .
The second step of course we need to exclude the 1.21 version of the target, I spent some time to find out the specific version number details of 1.21, and then use the not operator symbol:-to exclude the 1.21 related version data, The result is shown in the following figure:
There are 39552 plex port services in ZoomEye that can be used to reflect DDos amplification attacks.
Thanks to Baidu Lab for the research and the ZoomEye team