STUN servers have been increasingly abused for distributed denial-of-service (DDoS) assaults, according to NETSCOUT, an application and network performance management business. There are tens of thousands of servers that might be misused for such assaults by hostile actors.
The STUN (Session Traversal Utilities for NAT) protocol assists other protocols in coping with NAT traversal by assisting applications in discovering the NATs and firewalls that stand between them and the Internet. It also allows programmes to determine the public IP address that the NAT has assigned to them.
Threat actors have begun adding STUN reflection/amplification to DDoS-for-hire services, according to NETSCOUT.
While the amplification rate is just 2.32 to 1, UDP reflection/amplification attacks that abuse STUN services can be more difficult to counter without causing valid traffic to be blocked. More than 75,000 STUN servers have been detected by NETSCOUT that might be used in DDoS assaults, and the business has observed substantial multi-vector attacks that incorporate STUN as a component.
“Observed attack bandwidth (bps) sizes range from 15 Gbps to 60 Gbps for single-vector STUN reflection/amplification attacks, and up to 2 Tbps for multivector assaults with STUN as a component,” according to NETSCOUT.
“The greatest observed throughput (pps) for a single-vector STUN reflection/amplification attack is 6 Mpps, and multivector attacks that contain STUN as a component can reach up to an aggregate of 836.3 Mpps,” it continued.
Organizations whose STUN servers are misused in these DDoS attacks may also encounter problems, according to the business.
NETSCOUT has issued a set of guidelines for network operators and other organisations to follow in order to detect and mitigate DDoS assaults that use STUN.