[Operators] STUN/TURN servers are being abused in DDoS attacks (even with auth enabled)

The Doctor [412/724/301/703/415/510] drwho at virtadpt.net
Thu Apr 29 16:42:48 UTC 2021


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, April 28, 2021 12:36 PM, <admin at frinkel.tech> wrote:

> This seems concerning to me. Is there really no way for an operator to
> mitigate this beyond choosing a random port and hoping no prospective
> attacker figures out or otherwise deduces which port it is?

...or querying SHODAN for a list of hosts that are all running a STUN server on some port,
for that matter.

Rate limiting at the system level?  Using local firewall rules to limit the amount of outbound
STUN traffic to x packets per second, where x is a single digit integer?  It won't stop abuse
but it will slow it down significantly.

The Doctor [412/724/301/703/415/510]
WWW: https://drwho.virtadpt.net/
The old world is dying, and the new world struggles to be born. Now is the time of monsters.



More information about the Operators mailing list