Network security experts have found an increase in attacks using Session Traversal Utilities for NAT (STUN).
STUN servers are needed on the network so that devices connected to the Internet “know” their external IP address. This is necessary for the correct "communication" of the computer with other resources on the Internet. However, the overwhelming majority of devices are connected to the Internet through a gateway in a local network with a NAT screen (in simple words, through a router that issues local network IP addresses to computers, not “external” IP addresses).
At this stage, the STUN server comes into play: a computer from the local network sends a packet to the STUN server, which receives it and sends it back, “signing” the packet with the address and port number from which it received it. As soon as the computer receives the signed packet, it “learns” its external ip and gateway address and will be able to “communicate” with other resources on the Internet. According to a press release from Netscout, the new attacks exploit vulnerable systems running STUN services and allow attackers to launch UDP reflection / amplification attacks against their chosen target. Today, there are more than 75 thousand vulnerable servers on the network, the number of requests from which during an attack can be increased up to 3 times and direct the victim's IT infrastructure. The ubiquity of vulnerable STUN servers and the traffic amplification they achieve make STUN a challenge for any organization. IT security professionals make the following topical recommendations in this regard.