Don’t let your Firewalls be STUN DDoS Reflector.
(Last Updated On: August 13, 2022)
Your firewalls can be used as a STUN DDoS reflector to attack others on the Internet. Open UDP firewall ports for STUN (Session Traversal Utilities for NAT) are being exploited for DDoS reflection. Your network is most likely one of those networks.
Shadowserver now detects 101k IPv4 and 2.9K IPv6 accessible UDP STUN services. These can be abused for reflection/amplification DDoS attacks (IPv4 amp factor around 4, IPv6 amp factor around 6). Most open UDP STUN is in US and Germany. All of these can be STUN DDoS reflectors. You can stop this, keeping DDoS miscreants from using your network and firewall for criminal gain. Turning off UDP STUN or applying ACLs on the UDP STUN ports will prevent STUN DDoS reflector abuse.
What is STUN?
As described on Wikipedia, STUN is a standardized set of methods, including a network protocol, for traversal of network address translator (NAT) gateways in applications of real-time voice, video, messaging, and other interactive communications. Most firewall devices have the STUN UDP ports open.
Mitigating the DDoS Reflection Risk
Two techniques work. The first option is to turn off UDP STUN and only use TCP STUN. This configuration is in the firewall, NAT, CGNAT, or other devices. The second option is to filter UDP STUN to these ports:
UDP/3478
UDP/8088
UDP/37833
How can I find all the UDP STUN on my Network?
Shadowserver Accessible STUN Service Report will list all the UDP STUN devices in your ASN(s), IP (IPv4 and IPv6), and other parts of your network.
Shadowserver’s free Network Reports are the most cost-effective, underutilized security tools you can use to reduce network risk. You don’t need to pay for threat intelligence on your network until you have cleaned up all the issues found through Shadowserver’s Network reporting.
You can find out more about using Shadoweserver’s Report in your network by watching these videos:
ThaiNOG 2022 — An Impactful Security BCP — Thailand Network Operations Group was co-located with BKNIX
- Google Slides: https://docs.google.com/presentation/d/1mWJxizaEUXG8zG7YbWqsVo6basIjjj0enena4eTMjyo/edit?usp=sharing
- PDF Slides: https://drive.google.com/file/d/1tV4gYL7wljqyUBq-s1FzHMN4uSRtk98b/view?usp=sharing
Securing Your Network Using Shadowserver’s Daily Network Reports is a webinar that walks organizations through how these daily reports are used by organizations large and small — all as a public benefit. (https://youtu.be/RQ3BzWgocpI). This was done @ the Singapore Network Operations Groups (SGNOG) last year.
References on STUN DDoS Reflection Risk
- Shadowserver: Accessible STUN Service Report
- IETF: RFC: 8489 Session Traversal Utilities for NAT (STUN)
- NetScout: Session Traversal Utilities for NAT (STUN) Reflection/Amplification — DDoS Attack Mitigation Recommendations
- Security Research Labs: Honeypot research shows a variety of DDoS amplification methods
Are you looking for more practical, low-cost security Advice?
- You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.
- Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
- Ask questions to Barry Greene — bgreene@senki.org
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.
Originally published at https://www.senki.org on August 14, 2022.
