<snip/>
And yet:
I can never resist to someone saying this :-)
I do see live attack traffic on my server on port 3478. I am certain it is attack traffic based on the behaviour and specifics, but I won’t go into details on a public mailing list (feel free to contact me off-list though). I also know that other operators see the same issue on their STUN servers.
I asked around and the consensus was "that is just the random noise that has been there forever". Which probably has gotten bigger in the pandemic as well but remains noise.
The cost of relocating your STUN server to another port is small, especially if it’s only used by an XMPP service. IMO, the amount of mitigated attack traffic (even if it’s just a few kbps per STUN server) is worth that little effort.
It might be more noisy on the default port 3478 so changing that might help a bit. Please don't use 53 though.
You might also want to configure no-software-attribute in coturn to reduce the amplification factor.
As Google's stun servers show webrtc clients work fine with just an xor-mapped-addr in the response but that requires actual work in coturn which sends not required attributes like mapped-addr (which wouldn't be necessary for clients sending the magic cookie), response origin or other-address.
cheers Philipp
