logo
+44 20 3695 6722+1 (646) 491-62-59
Request protection
Client Portal
DDoS protection
CDN
WAF
VDS/VPS
How it works
For partners
About company
Categories
All articles
Company news
Industry news
Analytics
Articles
Opinion
StormWall edu
Success stories
Events

13 july 2021

STUN Servers increasingly abused for DDoS attacks

STUN vulnerability resume

Network security experts have found an increase in attacks using Session Traversal Utilities for NAT (STUN).

STUN servers are needed on the network so that devices connected to the Internet “know” their external IP address. This is necessary for the correct "communication" of the computer with other resources on the Internet. However, the overwhelming majority of devices are connected to the Internet through a gateway in a local network with a NAT screen (in simple words, through a router that issues local network IP addresses to computers, not “external” IP addresses).

At this stage, the STUN server comes into play: a computer from the local network sends a packet to the STUN server, which receives it and sends it back, “signing” the packet with the address and port number from which it received it. As soon as the computer receives the signed packet, it “learns” its external ip and gateway address and will be able to “communicate” with other resources on the Internet. According to a press release from Netscout, the new attacks exploit vulnerable systems running STUN services and allow attackers to launch UDP reflection / amplification attacks against their chosen target. Today, there are more than 75 thousand vulnerable servers on the network, the number of requests from which during an attack can be increased up to 3 times and direct the victim's IT infrastructure. The ubiquity of vulnerable STUN servers and the traffic amplification they achieve make STUN a challenge for any organization. IT security professionals make the following topical recommendations in this regard.

How to protect against DDoS based on STUN exploit?

  • STUN servers are vulnerable only when they work over UDP. If network administrators configure STUN to run over TCP only, the exploit can be avoided;
  • Network administrators must quickly implement best practices for building and securing networks in their operations to meet the most pressing IT threats;
  • It is recommended to separate the internal traffic of the organization (intranet) from the external one. You should be able to pass traffic from the outside, including through the backup connection channel. In this case, the activities of the back office will not suffer from a large-scale attack from the external network, and if it does happen, then there will be a backup channel of communication with the “outside world”
  • IT infrastructure must be protected by specialized services against DDoS attacks. On-premises DDoS protection services should be combined with cloud or transit DDoS protection services for maximum responsiveness and flexibility during an attack.
Previous article
DDoS Security Guidelines
Next article
The evolution of DDoS attacks from the 90s to the present day

Read also articles:

Company news
Industry news
Analytics
Articles
Opinion
StormWall edu
Success stories
Events
info
We use cookies to make the site faster and more user-friendly. By continuing to use the site you agree to our Privacy Policy
logo footer
+44 20 3695 6722+1 (646) 491-62-59
sales@stormwall.network
facebookinstagramlinkedIntwitter
facebookinstagramlinkedIntwitter
DDoS protectionWebsite protectionSecure hostingSecuring TCP / UDP ServicesNetwork protection (BGP)IP transit
CDN & WAFContent Delivery Network (CDN)Cloud WAF
Servers and VPSVDS/VPS
How it worksHow StormWall worksTechnologiesInstructionsAPIKnowledge base
For partnersFor resellers and service providersWhite LabelBring a friend
CompanyWhy StormWallWe protectedBlogPressAbout StormWall
Payment methodsvisamastercardpaypalapplepaygpayapplepay
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© 2013-2024 StormWall.network. All rights reservedPrivacy Policy