[Operators] STUN/TURN servers are being abused in DDoS attacks (even with auth enabled)

Melinda Thompson tylindacarol2912 at gmail.com
Thu Apr 29 00:02:33 UTC 2021


Who are what company you work for I feel this scam I will take this email
to the police

On Wed, Apr 28, 2021, 11:43 AM Jonas Schäfer <jonas at wielicki.name> wrote:

> Hi fellow operators,
>
> TL;DR: STUN/TURN servers are vulnerable to abuse to facilitate reflected
> amplified DDoS attacks even with authentication enabled. Roll a few dice
> and
> choose a random port number for your STUN server for the better of the
> internet.
>
>
> DESCRIPTION
>
> With the advent of widespread A/V calling support in client connections,
> many
> of us have deployed STUN/TURN servers.
>
> Because of inherent flaws in the UDP, STUN and TURN protocols, STUN/TURN
> servers are easy to detect and to abuse in Distributed Denial of Service
> attacks.
>
> By using source IP address spoofing [1] and exploiting that UDP is
> connectionless, attackers can make the STUN server send traffic to
> arbitrary
> IP addresses via an reflected attack [2].
>
> In some cases, the response of the STUN server will also be larger than
> the
> request sent by the client, adding an amplification [3] factor to it.
>
> Unfortunately, the exploited behaviour is part of the normal operation of
> the
> STUN protocol. It also happens pre-auth, so adding authentication is not
> sufficient.
>
>
> MITIGATION
>
> In order to mitigate those attacks, the current recommendation we worked
> out
> is to randomize the port number of your STUN server. As XMPP allows
> clients to
> discover STUN servers including their port number (even via a secured
> channel), this is an easy measure.
>
> Make sure to pick the port number as random, and take care to also
> correctly
> configure the alternative STUN port number.
>
>
> Thanks,
> Jonas
>
>    [1]: https://en.wikipedia.org/wiki/IP_address_spoofing
>    [2]: https://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_/
> _spoofed_attack
>    [3]:
> https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20210428/1d6b368e/attachment-0001.html>


More information about the Operators mailing list