[Operators] STUN/TURN servers are being abused in DDoS attacks (even with auth enabled)

Philipp Hancke fippo at goodadvice.pages.de
Wed Apr 28 18:21:09 UTC 2021


Am 28.04.21 um 17:37 schrieb Jonas Schäfer:
> Hi fellow operators,
> 
> TL;DR: STUN/TURN servers are vulnerable to abuse to facilitate reflected
> amplified DDoS attacks even with authentication enabled. Roll a few dice and
> choose a random port number for your STUN server for the better of the
> internet.
> 
> 
> DESCRIPTION
> 
> With the advent of widespread A/V calling support in client connections, many
> of us have deployed STUN/TURN servers.
> 
> Because of inherent flaws in the UDP, STUN and TURN protocols, STUN/TURN
> servers are easy to detect and to abuse in Distributed Denial of Service
> attacks.
> By using source IP address spoofing [1] and exploiting that UDP is
> connectionless, attackers can make the STUN server send traffic to arbitrary
> IP addresses via an reflected attack [2].

which is described in 
https://tools.ietf.org/html/rfc5389#section-16.2.1, no?
> 
> In some cases, the response of the STUN server will also be larger than the
> request sent by the client, adding an amplification [3] factor to it.

which from what I can see is less than two and can be brought closer to 
1 with minimal tuning.

Why do you think that is attractive as an attack vector?


More information about the Operators mailing list