Hi fellow operators, TL;DR: STUN/TURN servers are vulnerable to abuse to facilitate reflected amplified DDoS attacks even with authentication enabled. Roll a few dice and choose a random port number for your STUN server for the better of the internet.
DESCRIPTION With the advent of widespread A/V calling support in client connections, many of us have deployed STUN/TURN servers. Because of inherent flaws in the UDP, STUN and TURN protocols, STUN/TURN servers are easy to detect and to abuse in Distributed Denial of Service attacks. By using source IP address spoofing [1] and exploiting that UDP is connectionless, attackers can make the STUN server send traffic to arbitrary IP addresses via an reflected attack [2]. In some cases, the response of the STUN server will also be larger than the request sent by the client, adding an amplification [3] factor to it. Unfortunately, the exploited behaviour is part of the normal operation of the STUN protocol. It also happens pre-auth, so adding authentication is not sufficient. MITIGATION In order to mitigate those attacks, the current recommendation we worked out is to randomize the port number of your STUN server. As XMPP allows clients to discover STUN servers including their port number (even via a secured channel), this is an easy measure. Make sure to pick the port number as random, and take care to also correctly configure the alternative STUN port number. Thanks, Jonas [1]: https://en.wikipedia.org/wiki/IP_address_spoofing [2]: https://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_/ _spoofed_attack [3]: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification
signature.asc
Description: This is a digitally signed message part.
