Am 28.04.21 um 17:37 schrieb Jonas Schäfer:
Hi fellow operators,
TL;DR: STUN/TURN servers are vulnerable to abuse to facilitate reflected
amplified DDoS attacks even with authentication enabled. Roll a few dice and
choose a random port number for your STUN server for the better of the
internet.
DESCRIPTION
With the advent of widespread A/V calling support in client connections, many
of us have deployed STUN/TURN servers.
Because of inherent flaws in the UDP, STUN and TURN protocols, STUN/TURN
servers are easy to detect and to abuse in Distributed Denial of Service
attacks.
By using source IP address spoofing [1] and exploiting that UDP is
connectionless, attackers can make the STUN server send traffic to arbitrary
IP addresses via an reflected attack [2].
which is described in
https://tools.ietf.org/html/rfc5389#section-16.2.1, no?
In some cases, the response of the STUN server will also be larger than the
request sent by the client, adding an amplification [3] factor to it.
which from what I can see is less than two and can be brought closer to
1 with minimal tuning.
Why do you think that is attractive as an attack vector?
