[Operators] STUN/TURN servers are being abused in DDoS attacks (even with auth enabled)
jonas at wielicki.name
Wed Apr 28 15:37:45 UTC 2021
Hi fellow operators,
TL;DR: STUN/TURN servers are vulnerable to abuse to facilitate reflected
amplified DDoS attacks even with authentication enabled. Roll a few dice and
choose a random port number for your STUN server for the better of the
With the advent of widespread A/V calling support in client connections, many
of us have deployed STUN/TURN servers.
Because of inherent flaws in the UDP, STUN and TURN protocols, STUN/TURN
servers are easy to detect and to abuse in Distributed Denial of Service
By using source IP address spoofing  and exploiting that UDP is
connectionless, attackers can make the STUN server send traffic to arbitrary
IP addresses via an reflected attack .
In some cases, the response of the STUN server will also be larger than the
request sent by the client, adding an amplification  factor to it.
Unfortunately, the exploited behaviour is part of the normal operation of the
STUN protocol. It also happens pre-auth, so adding authentication is not
In order to mitigate those attacks, the current recommendation we worked out
is to randomize the port number of your STUN server. As XMPP allows clients to
discover STUN servers including their port number (even via a secured
channel), this is an easy measure.
Make sure to pick the port number as random, and take care to also correctly
configure the alternative STUN port number.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the Operators