[Operators] STUN/TURN servers are being abused in DDoS attacks (even with auth enabled)
fippo at goodadvice.pages.de
Wed Apr 28 18:21:09 UTC 2021
Am 28.04.21 um 17:37 schrieb Jonas Schäfer:
> Hi fellow operators,
> TL;DR: STUN/TURN servers are vulnerable to abuse to facilitate reflected
> amplified DDoS attacks even with authentication enabled. Roll a few dice and
> choose a random port number for your STUN server for the better of the
> With the advent of widespread A/V calling support in client connections, many
> of us have deployed STUN/TURN servers.
> Because of inherent flaws in the UDP, STUN and TURN protocols, STUN/TURN
> servers are easy to detect and to abuse in Distributed Denial of Service
> By using source IP address spoofing  and exploiting that UDP is
> connectionless, attackers can make the STUN server send traffic to arbitrary
> IP addresses via an reflected attack .
which is described in
> In some cases, the response of the STUN server will also be larger than the
> request sent by the client, adding an amplification  factor to it.
which from what I can see is less than two and can be brought closer to
1 with minimal tuning.
Why do you think that is attractive as an attack vector?
More information about the Operators