How to prevent abuse by using amplification/reflection DoS attack?
paulmenzel opened this issue · 2 comments
paulmenzel commented
The DFN-CERT sent the warning below for our STUN server:
Ereignistyp: Configuration/Amplifier
Zeitstempel: 2023-12-03 02:27:47+00:00
Anzahl: 4
Beschreibung: Auf dem System scheint ein Dienst betrieben zu werden, der
potentiell für reflektierte DoS-Angriffe genutzt werden
kann. Das heißt dieser Dienst antwortet auf Anfragen mit
gefälschter Absenderadresse und schickt dabei Antworten die
ein vielfaches der Größe der Anfrage haben.
Zuletzt gesehen IP-Protokoll Port Dienst
---------------------------------------------------------
2023-12-01 02:27:33+00:00 UDP 3478 STUN
2023-12-01 02:27:33+00:00 UDP 3478 STUN
2023-12-02 07:55:22+00:00 UDP 3478 STUN
2023-12-03 02:27:47+00:00 UDP 3478 STUN
As I am ignorant about these things, could a security section be added to the README, what risks are to be weighed?
licaon-kter commented
Change the default ports for starters.
XMPP clients will get the info via XEP-0215.
weiss commented
The DFN-CERT sent the warning below for our STUN server
We got the same email 😄
Unfortunately, there's no proper fix, as:
- per the spec, servers reply to unauthenticated requests, and
- it's not possible to reduce the amplification factor to 1 without breaking compatibility (at least the factor isn't anywhere as bad as with some other protocols, e.g. DNS).
As for workarounds, the only general recommendation is the one @licaon-kter mentioned, i.e. using a non-standard port. I guess the DFN-CERT might still discover you, but chances are the script kiddies won't. I was pondering with adding this hint to the documentation indeed.