Increasing DDoS attacks for STUN servers:
According to security research conducted by application and network performance management organization NETSCOUT, malicious actors have been increasingly attacking STUN servers for distributed denial of service attacks.
This is reportedly done by adding STUN reflection/amplification with the intention of DDoS-for-hire services.
To the unaware, Session Traversal Utilities for NAT (STUN) is a standardized set of methods, including a network protocol, for traversal of Network Address Translator gateways in applications of real-time voice, video, messaging, and other interactive communications. It also enables applications to determine the public IP allocated to them by the NAT.
According to the research, the amplification rate is only 2.32 to 1. This provides that the UDP reflection/amplification attacks exploiting STUN services can be increasingly complex to mitigate without affecting or overblocking authentic traffic.
Numerous STUNs detected to be vulnerable:
NETSCOUT was able to detect more than 75,000 STUN servers that could be potentially exploited for DDoS attacks while so observing considerable multi-vector attacks that involved STUNs.
“Observed attack bandwidth (bps) sizes range from ~15 Gbps to ~60 Gbps for single-vector STUN reflection/amplification attacks and up to an aggregate 2 Tbps for multivector attacks that include STUN as a component,” noted NETSCOUT.
The highest throughput (pps) the security company observed for a single-vector STUN reflection/amplification attack was approximately 6 Mbps and an average of approximately 836.3 Mbps for a multi-vector attack that consisted of the STUN server as a component.
Organizations utilizing these servers can also potentially face disruptions as a result of the exploitation of these servers.
NETSCOUT has also delivered a range of mitigations and recommendations for network operators and other organizations on preventing and mitigating DDoS attacks that leverage STUN.