 Tom here from Orange Systems and Plex has been used as part of a DDoS attack for about 37,000 vulnerable servers Hopefully you are not one of them. If you didn't know about this incident Please update your Plex and make sure you are running the latest version which mitigates this now What I want to discuss is a couple things one anytime I mentioned self hosting a service and exposing said service to the internet first Do you really need it exposed is the first question? I know it's greatly convenient just to throw it online and use your public IP space so you can get to it remotely I often suggest whenever possible putting these things behind a VPN to help mitigate these Potential issues because you're limiting your threat surface But if you do have it out here You may be part of a botnet if you don't configure it properly And we're gonna talk about a couple scenarios here and exactly how Plex was used in a DDoS attack And well briefly touch on what a DDoS attack is in case you don't know Before we dive into the details, let's first If you'd like to learn more about me and my company head over to laurance systems comm If you'd like to hire short project, there's a hires button right at the top If you'd like to help keep this channel sponsor-free and thank you to everyone who already has There is a join button here for YouTube and a patreon page. Your support is greatly appreciated If you're looking for deals or discounts on products and services we offer on this channel Check out the affiliate links down below. They're in the description of all of our videos Including a link to our shirt store. We have a wide variety of shirts that we sell and new designs come out Well randomly so check back frequently and finally our forums forums dot laurance systems comm is where you can have a more in-depth Discussion about this video and other tech topics you've seen on this channel now back to our content Now today is February 15th 2021 and I bring that up because Plex media servers are actively being used and abused by DDoS for higher service as a UDP reflection amplification vector and a distributed denial of service attack But what we don't have any evidence of is that any data was exfiltrated or any other further Compromise of your network came from this particular attack. That's what we know now and That's an important factor I know a lot of people probably wanted to have an understanding of is whether or not this means their system was compromised in a Way where someone was inside their network and it was you know Extra trading data or potentially what would be the worst-case scenario like a lateral movement and get further into something more than just Plex or knowledge. This was only abusable based on the ability to DDoS and not actually compromise any of the data So you basically your Plex server becomes an unwilling or unwitting participant in The abuse and the sending out of all these extra packets, but not actually compromise any data They're just bouncing data off of it bouncing some packets off of it Now these are the ports you need to turn on to open up Plex and a lot of you are probably going I don't do this I don't open up these ports Clearly wasn't me But here's where something that's really important needs to be thought about if you're using a more advanced firewall Such as the PF sensor on Tangle, which I've covered a lot of on this channel those firewalls both have you PNP turned off by default But if you're using whatever was provided to you by your ISP or you have a consumer firewall Those frequently have you PNP turned on by default So it's on on many of those meaning if you just load Plex and it talks you PNP to your Consumer router it just opens up the porch for you for convenience Matter of fact according to bleeping computers 27,000 conveniently open Plex servers with this particular problem now There is a patch for it The first immediate thing is if you can turn you PNP and off turn it off I say if because I know some routers some of the consumer ones don't even seem to have the option to actually turn it off But you could always just stop Plex and not be part of this potential service problem Now why do they use UDP and let's talk about that really quickly here With a distributed denial of service attack UDP is very ideal because you can lie about where you want the destination to go So let's look at this graphic over on the by-do labs right up where we have a threat actor Who sends a packet to one of these Plex servers or the amplifiers to get to the victim? The goal is to flood the target with so much data They cannot process it UDP is very ideal because I can send a packet But instead of the packet returning to me it can go Hey, where is the return address of this packet and we give the victim as the return the Amplification factor is because you only have as the attacker so many bots at your disposal And maybe you have enough bots to send a bunch of packets to the victim that creates two problems one It's a matter of how much traffic and the target take and how many bots do you have and the other issue of They can now see my bots sending traffic. That's a problem But when we can use those bots to reflect and this is what plex is offering them We can reflect not only are we obscuring where the original traffic came from We're also amplifying and according to researchers over at Netscout attacks abusing this UDP reflection amplification attack factor by targeting PMS SDP the plex media server Reflectors amplifiers have an amplification ratio of 4.68 to 1 that means for each bot They have the bot can hand can hand these packets over to the plex servers who then amplify this attack at 4.68 to 1 for the packets in Meaning you're gonna get a lot more data out of them than you put in which is the exact ideal So first we've obscured who the bots are because they're bouncing them off of these plex servers And then these plex servers are sending 4.68 packets to each packet sent on average meaning We get quite an amplification and a confusion because this is spread across 27,000 exposed plex devices and we don't know where the attack came from exactly it becomes very tricky to trace this down When you're dealing with something at this scale So all as the victim sees is all of a sudden all these random 27,000 devices are now attacking my system now 27,000 is what we know about there might be even more These companies frequently use tools like their own scanning or something like showdan to try to find all the servers And the bots are really efficient at constantly making lists of the exposed known and vulnerable servers to add them to their list Of tools they used or their booter services arsenal as it was put here There's actually a few other articles linked over here at the bottom of bleeping computer Which I'll leave a link to that talks about some of the other tools they're using and this is frequently how these denial of service Companies if you want to refer to them as that illegal businesses if they're really a business DDoS for higher groups. We'll just call them that and They build a list of all the different bots they have and then each thing they can reflect off of then to attack a victim And it's not just one thing. This is just one more thing added to their list now This has been ongoing for a little while. This is not necessarily a new attack and It's unfortunate and it may have been a mystery when some people well all of a sudden my internet slow for periods of time Yes, whenever they're using it They're using your internet and bandwidth which may have its own Consequences with data caps and things like that because suddenly you're just Massively sending out all kinds of data using up your data cap and this DDoS for higher Mediations against this if you don't need to publicly expose something Don't do it if you can keep it behind a VPN. You're that much safer because you've reduced your threat surface Update Plex that's obviously the immediate thing if you need to have this publicly exposed and what you need to do to fix it Immediately is just well update Plex don't use a consumer router where you can't turn you PNP off because well It being on is undoubtedly what led to the majority of these I doubt 27,000 people took the time to port forward their Plex It's like I said more likely you PNP was in use and just did it automatically for them So I'll leave links to all this so you can read up on it. It's an interesting article It's an interesting thought process of whenever you self-host things making sure that you're aware that these risks are always there on anytime you publicly expose things and it's important to keep up with patches and updates as is always stated on here and this is one more reason to run a non consumer grade firewall in your Environment so you don't have things like you PNP turned on and if you did turn them on Really question if you need it because it turned it allows anything to start talking to it And just because it was on a separate network that may mitigate some lateral movement if you've got things subdivided out in your network But it doesn't mitigate the fact that your bandwidth was used to participate in potential attacks like this. All right, and thanks And thank you for making it to the end of the video If you liked this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you When new videos come out if you'd like to hire us head over to Lawrence systems calm fill out our contact page and Let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums dot Lawrence systems comm where we can carry on the discussion about this Video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time