[Operators] STUN/TURN servers are being abused in DDoS attacks (even with auth enabled)

Jonas Schäfer jonas at wielicki.name
Wed Apr 28 15:37:45 UTC 2021


Hi fellow operators,

TL;DR: STUN/TURN servers are vulnerable to abuse to facilitate reflected 
amplified DDoS attacks even with authentication enabled. Roll a few dice and 
choose a random port number for your STUN server for the better of the 
internet.


DESCRIPTION

With the advent of widespread A/V calling support in client connections, many 
of us have deployed STUN/TURN servers.

Because of inherent flaws in the UDP, STUN and TURN protocols, STUN/TURN 
servers are easy to detect and to abuse in Distributed Denial of Service 
attacks.

By using source IP address spoofing [1] and exploiting that UDP is 
connectionless, attackers can make the STUN server send traffic to arbitrary 
IP addresses via an reflected attack [2].

In some cases, the response of the STUN server will also be larger than the 
request sent by the client, adding an amplification [3] factor to it.

Unfortunately, the exploited behaviour is part of the normal operation of the 
STUN protocol. It also happens pre-auth, so adding authentication is not 
sufficient.


MITIGATION

In order to mitigate those attacks, the current recommendation we worked out 
is to randomize the port number of your STUN server. As XMPP allows clients to 
discover STUN servers including their port number (even via a secured 
channel), this is an easy measure.

Make sure to pick the port number as random, and take care to also correctly 
configure the alternative STUN port number.


Thanks,
Jonas

   [1]: https://en.wikipedia.org/wiki/IP_address_spoofing
   [2]: https://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_/
_spoofed_attack
   [3]: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.jabber.org/pipermail/operators/attachments/20210428/d709b722/attachment.sig>


More information about the Operators mailing list