[ZoomEye Report] Nearly 40,000 Plex services around the world may be used for reflective DDos attacks

On January 7, 2021, Baidu Security Lab issued an early warning saying that a DDoS reflection attack initiated by the network service of Plex (media playback platform) was captured in January 2021 [1]

According to the article of Baidu Security Lab, the hacker used the DDoS reflection attack based on the Plex service (UDP port 32414) in this attack, and it is found that Plex’s two UDP port(32414 and 32410) accesses can be used for reflection amplification attacks.

After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21, so it can be inferred that version 1.21 of Plex released in late January this year has fixed this problem (although no relevant information has been seen in the plex official Security bulletin)

Send the string “M-SEARCH * HTTP/1.1” to UDP port 32414 or 32410 through nc and the following response data:

╭─heige@404team ~
╰─$echo “M-SEARCH * HTTP/1.1” | nc -u x.x.x.x 32410
HTTP/1.0 200 OK
Content-Type: plex/media-server
Host: f68af048f0eb42f397566e45e90581eb.plex.direct
Name: xxxx
Port: 32400
Resource-Identifier: 6aae26c26011b11ee5235670fa5540555b85dc48
Updated-At: 1610185343

So we used ZoomEye to conduct surveying and mapping for UDP ports 32414 and 32410, and the results are as follows:

ZoomEye Dork: service:“plex-media-server” and about 72,968 results in ZoomEye [2].

The second step of course we need to exclude the 1.21 version of the target, I spent some time to find out the specific version number details of 1.21, and then use the not operator symbol:-to exclude the 1.21 related version data, The result is shown in the following figure:

(Use the ZoomEye command line tool [3] to query the result)

There are 39552 plex port services in ZoomEye that can be used to reflect DDos amplification attacks.

Thanks to Baidu Lab for the research and the ZoomEye team

[1] https://mp.weixin.qq.com/s/y8IqT_mT-oC4EVC4y3bVSw (Chinese)
[2] https://www.zoomeye.org/searchResult?q=service%3A%22plex-media-server%22
[3] https://github.com/knownsec/ZoomEye-python

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store