[Operators] STUN/TURN servers are being abused in DDoS attacks (even with auth enabled)

Philipp Hancke fippo at goodadvice.pages.de
Fri Apr 30 07:24:57 UTC 2021


<snip/>

> And yet: 

I can never resist to someone saying this :-)

> I do see live attack traffic on my server on port 3478. I am certain
> it is attack traffic based on the behaviour and specifics, but I won’t go into
> details on a public mailing list (feel free to contact me off-list though).
> 
> I also know that other operators see the same issue on their STUN servers.

I asked around and the consensus was "that is just the random noise that 
has been there forever". Which probably has gotten bigger in the 
pandemic as well but remains noise.

> The cost of relocating your STUN server to another port is small, especially
> if it’s only used by an XMPP service. IMO, the amount of mitigated attack
> traffic (even if it’s just a few kbps per STUN server) is worth that little
> effort.

It might be more noisy on the default port 3478 so changing that might 
help a bit. Please don't use 53 though.

You might also want to configure no-software-attribute in coturn to 
reduce the amplification factor.

As Google's stun servers show webrtc clients work fine with just an 
xor-mapped-addr in the response but that requires actual work in coturn 
which sends not required attributes like mapped-addr (which wouldn't be 
necessary for clients sending the magic cookie), response origin or 
other-address.

cheers

Philipp


More information about the Operators mailing list