[Operators] STUN/TURN servers are being abused in DDoS attacks (even with auth enabled)
fippo at goodadvice.pages.de
Fri Apr 30 07:24:57 UTC 2021
> And yet:
I can never resist to someone saying this :-)
> I do see live attack traffic on my server on port 3478. I am certain
> it is attack traffic based on the behaviour and specifics, but I won’t go into
> details on a public mailing list (feel free to contact me off-list though).
> I also know that other operators see the same issue on their STUN servers.
I asked around and the consensus was "that is just the random noise that
has been there forever". Which probably has gotten bigger in the
pandemic as well but remains noise.
> The cost of relocating your STUN server to another port is small, especially
> if it’s only used by an XMPP service. IMO, the amount of mitigated attack
> traffic (even if it’s just a few kbps per STUN server) is worth that little
It might be more noisy on the default port 3478 so changing that might
help a bit. Please don't use 53 though.
You might also want to configure no-software-attribute in coturn to
reduce the amplification factor.
As Google's stun servers show webrtc clients work fine with just an
xor-mapped-addr in the response but that requires actual work in coturn
which sends not required attributes like mapped-addr (which wouldn't be
necessary for clients sending the magic cookie), response origin or
More information about the Operators