Plex SSDP Reflection/Amplification DDoS Flaw.
What is it?
An issue in which Plex Media Server installations in a specific network position could potentially be used to reflect UDP traffic on certain device-discovery ports as part of a possible DDoS (distributed denial-of-service) attack.
Does this mean my information was exposed?
No, your data and information was not compromised. Your plex server could of been used to attack other computer, servers or networks.
The US-CERT article explaining:This issue does not allow attackers to access any of your private data or make changes to your account. It only allows attackers to cause an affected server to “reflect” UDP packets in order to increase the volume of a denial-of-service attack against some other server or network on the public internet. These “amplification” techniques are common in a variety of widely-used, UDP-based network protocols when services are exposed directly to the public internet (such as DNS or NTP). For more information on amplification attacks and how to protect Internet-facing systems against them, we recommend you review .
What do I need to do?
1. Update your plex server to the latest version. (v1.21.3.4014 or newer has the security fix)
2. Turn off UPnP (Universal Plug and Play.) in your router. When enabled UPnP, devices directly forward a port on your router and save you from manually forwarding ports. This can cause security issues without your knowledge.
3. If you are forwarding ports to your plex media server turn off UDP only forward TCP connections.
What network ports do I need to allow through my firewall?
- TCP Port: 32400 (access to the Plex Media Server) [required]
Warning!
For security, we very strongly recommend that you do not allow any “additional” ports through the firewall or to be forwarded in your router, in cases specifically where your Plex Media Server is running on a machine with a public/WAN IP address. This includes those hosted in a data center as well as machines on a “local network” that have been put into the “DMZ” (the “de-militarized zone”) of the network router. This is not a setup that applies to most users.
Additional ports are also used within the local network.
Do not forward these ports to the internet.
- UDP: 1900 (access to the Plex DLNA Server)
- UDP: 5353 (older Bonjour/Avahi network discovery)
- TCP: 8324 (controlling Plex for Roku via Plex Companion)
- UDP: 32410, 32412, 32413, 32414 (current GDM network discovery)
- TCP: 32469 (access to the Plex DLNA Server)
