• Arbor Networks - DDoS Experts
  • DDoS

Session Traversal Utilities for NAT (STUN) Reflection/Amplification

DDoS Attack Mitigation Recommendations

Session Traversal Utilities for NAT (STUN) Reflection/Amplification
by Roland Dobbins, Steinthor Bjarnason on

ASERT Threat Summary

Date/Time: 2Jun2021 1600UTC
Severity: Warning
Distribution: TLP: WHITE
Categories: Availability
Contributors: Chris Conrad, Jon Belanger, Hardik Modi

Summary

ASERT recently discovered an increase in Session Traversal Utilities for NAT (STUN) protocol (see below) attacks targeting NETSCOUT customers. These attacks leverage vulnerable systems running STUN services and enable adversaries to launch UDP-based reflection/amplification attacks against a target of their choosing. We have seen an amplification factor of 2.32 to 1 with approximately 75,000 abusable STUN servers in the wild. The availability of vulnerable STUN servers, its amplification factor, and its inclusion into weaponized tools by adversaries makes STUN a problem for any organization, and the guidance provided by ASERT in this summary will give organizations the understanding and knowledge to properly defend against and mitigate these types of attacks.

Key Findings

 

  • Adversaries weaponized vulnerable STUN servers by adding the UDP distributed-denial-of-service (DDoS) attack vector to their DDoS-for-hire services.
  • Although the amplification factor is smaller than many others at 2.32 to 1, the use of STUN in reflection/amplification DDoS attacks has become increasingly prevalent due to the perceived difficulty of mitigating amplified STUN attack traffic without incurring unacceptable levels of overblocking.
  • The collateral impact of STUN reflection/amplification attacks is potentially quite high if those STUN servers are also TURN servers used for relaying WebRTC multimedia traffic such as that associated with popular voice/videoconferencing systems.
  • Applying the recommended actions outlined below will allow organizations to better understand and defend against attacks leveraging the STUN protocol.

 

What is STUN?

STUN is a protocol used to effectuate mappings between ‘inside’ and ‘outside’ IP addresses and protocol ports for hosts situated behind NAT installations. It is utilized by various services such as Session Initiation Protocol (SIP), Interactivity Connectivity Establishment (ICE), and Travels Using Relays around NAT (TURN). STUN may be configured to operate over both TCP and UDP transports.

Analysis

STUN services listening on UDP/3478, UDP/8088, and UDP/37833 may be abused to launch UDP reflection/amplification attacks with an average amplification ratio of 2.32:1. The amplified attack traffic consists of non-fragmented UDP packets sourced from any of the three listed UDP ports and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. The amplified attack packets range from 48 bytes (the vast majority of attack traffic) to 1452 bytes in length. 75,556 abusable STUN servers have been identified to date.

Observed attack bandwidth (bps) sizes range from ~15 Gbps to ~60 Gbps for single-vector STUN reflection/amplification attacks and up to an aggregate 2 Tbps for multivector attacks that include STUN as a component. The highest observed throughput (pps) for a single-vector STUN reflection/amplification attack is ~6 Mpps and up to an aggregate ~836.3 Mpps for multivector attacks that include STUN as a component. As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, STUN reflection/amplification has been weaponized and added to the arsenals of so-called ‘booter/stresser’ DDoS-for-hire services, placing it within the reach of the general attacker population.

Although the average STUN amplified attack traffic yield of 2.32:1 is relatively low compared with other vectors, the use of STUN in reflection/amplification DDoS attacks has become increasingly prevalent due to the perceived difficulty of mitigating amplified STUN attack traffic without incurring unacceptable levels of overblocking.

Collateral Impact

The collateral impact of STUN reflection/amplification attacks is potentially quite high for organizations whose STUN servers are abused as reflectors/amplifiers. This is particularly true if those STUN servers are also TURN servers used for relaying WebRTC multimedia traffic such as that associated with popular voice/videoconferencing systems. (All TURN servers are also STUN servers, although the converse is not the case). Abuse of STUN servers as reflectors/amplifiers may result in partial or full interruption of NAT traversal capability and a concomitant degradation or loss of general internet connectivity for STUN-dependent user populations, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of NAT installations, stateful firewalls, load-balancers, etc.

Wholesale filtering of all UDP/3478-, UDP/8088-, and UDP/37833-sourced traffic by network operators may potentially overblock legitimate internet traffic, resulting in significant service disruption per the above-mentioned use cases. 

Mitigating Factors

Collateral impact to abusable STUN servers can alert systems administrators to disable STUN UDP services and configure STUN to run in TCP mode only.

Recommended Actions

Network operators should perform reconnaissance to identify and remediate abusable STUN servers on their networks and/or the networks of their downstream customers.

All relevant network infrastructure, architectural, and operational Best Current Practices (BCPs) should be implemented by network operators.

Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural, and operational BCPs have been implemented, including situationally specific network-access policies that only permit internet traffic via required IP protocols and ports. Internet-access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links. 

DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan. Both organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services to ensure maximal responsiveness and flexibility during an attack.

It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.

Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or the Arbor Technical Assistance Center (ATAC) may be consulted with regards to optimal countermeasure selection and employment.

Applicable NETSCOUT Arbor Solutions: Arbor SightlineArbor TMSArbor AEDArbor Cloud

References

https://datatracker.ietf.org/doc/html/rfc8489

ASERT Threat Summary: Session Traversal Utilities for NAT (STUN) Reflection/Amplification DDoS Attack Mitigation Recommendations - May 2021 - v1.0.

Posted In
  • Arbor Networks - DDoS Experts
  • DDoS Tools and Services
  • Attacks and DDoS Attacks
Subscribe

Sign up now to receive the latest notifications and updates from NETSCOUT's ASERT.