STUN Servers increasingly abused for DDoS attacks

13 July 2021

STUN vulnerability resume

Network security experts have found an increase in attacks using Session Traversal Utilities for NAT (STUN).

STUN servers are needed on the network so that devices connected to the Internet “know” their external IP address. This is necessary for the correct "communication" of the computer with other resources on the Internet. However, the overwhelming majority of devices are connected to the Internet through a gateway in a local network with a NAT screen (in simple words, through a router that issues local network IP addresses to computers, not “external” IP addresses).

At this stage, the STUN server comes into play: a computer from the local network sends a packet to the STUN server, which receives it and sends it back, “signing” the packet with the address and port number from which it received it. As soon as the computer receives the signed packet, it “learns” its external ip and gateway address and will be able to “communicate” with other resources on the Internet. According to a press release from Netscout, the new attacks exploit vulnerable systems running STUN services and allow attackers to launch UDP reflection / amplification attacks against their chosen target. Today, there are more than 75 thousand vulnerable servers on the network, the number of requests from which during an attack can be increased up to 3 times and direct the victim's IT infrastructure. The ubiquity of vulnerable STUN servers and the traffic amplification they achieve make STUN a challenge for any organization. IT security professionals make the following topical recommendations in this regard.

How to protect against DDoS based on STUN exploit?

  • STUN servers are vulnerable only when they work over UDP. If network administrators configure STUN to run over TCP only, the exploit can be avoided;
  • Network administrators must quickly implement best practices for building and securing networks in their operations to meet the most pressing IT threats;
  • It is recommended to separate the internal traffic of the organization (intranet) from the external one. You should be able to pass traffic from the outside, including through the backup connection channel. In this case, the activities of the back office will not suffer from a large-scale attack from the external network, and if it does happen, then there will be a backup channel of communication with the “outside world”;
  • IT infrastructure must be protected by specialized services against DDoS attacks. On-premises DDoS protection services should be combined with cloud or transit DDoS protection services for maximum responsiveness and flexibility during an attack.