[tram] stun amplification vulnerability

Mészáros Mihály <misi@majd.eu> Tue, 12 October 2021 12:29 UTC

Return-Path: <misi@majd.eu>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4083A0BC0 for <tram@ietfa.amsl.com>; Tue, 12 Oct 2021 05:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=majd.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLB27nFkEpWP for <tram@ietfa.amsl.com>; Tue, 12 Oct 2021 05:28:58 -0700 (PDT)
Received: from majd.eu (vps.majd.eu [31.14.139.145]) by ietfa.amsl.com (Postfix) with ESMTP id 2A57A3A0BBB for <tram@ietf.org>; Tue, 12 Oct 2021 05:28:56 -0700 (PDT)
Received: from [192.168.1.11] (91-83-34-39.pool.digikabel.hu [91.83.34.39]) by majd.eu (Postfix) with ESMTPSA id CD7085EE2D for <tram@ietf.org>; Tue, 12 Oct 2021 14:28:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=majd.eu; s=mail; t=1634041734; bh=1earh5qi/eVENY2TQTf7FkEHWdK1m/LIvxVnOiAigeo=; h=To:From:Subject:Date:From; b=soBT0CIw5NmyjECOJUAGl0O6Mn9sAjNBmaCGw2KPFW+FLn6wmZGYmkvIen7h4KacJ SeRY1WlRwnJwKPhLt2Ulfrdf7mn1N2zhRaqIgTVOEziLug2ZMfG7YnEBocX3VYj7Eu 8s/AXOhnGRZxclBUUJuPUfniZe/9SUAYp6HhVdfpDjoQP+fnhWjrv41GFhiyrIRYE8 LlXTQblXT1kcvcslaef3OqIAszQKxgM4ARvpuz1rUSHN7pE27m8xJzofQpV6cMIj6Y eBGVI+Kc8dQyVH1zMkRpt5pqb6/YeTB4zfz/3wkQhUJZAgsc6upRv8IAe71ATK9vuP F4b10OO6QtrRg==
To: tram@ietf.org
From: =?UTF-8?B?TcOpc3rDoXJvcyBNaWjDoWx5?= <misi@majd.eu>
Message-ID: <27d1ef5c-0105-ab6a-485a-78ddc9f6bde5@majd.eu>
Date: Tue, 12 Oct 2021 14:28:52 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/MBHsw2aXtFz7QqV8MBKuQak0LeM>
Subject: [tram] stun amplification vulnerability
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2021 12:29:03 -0000

Hi,

I experienced, that STUN binding requests(udp) came from spoofed/strange
source addresses (from e.g. zoom,valve, etc. address range) to our STUN
servers.

I don't have better explanation for that, probably someone is using our
STUN server responses to attack the spoofed source IPs.

If a STUN server is responding to a binding request it may sends many
attributes(RFC5780 attributes and (for classical backward compatibility)
mapped address, software, fingerprint,  etc.),
this way the request/response gain factor could be ~3x.

STUN should not authenticated, so the attack could be distributed to
many STUN servers easily, but even if STUN request is authenticated,
then 401 response also gives 2x times bigger response.

If STUN not authenticated, then the amount of attack traffic could be
relativity small and distributed in time  (if attack is very well
distributed to many STUN servers).
This way the attacker's traffic could be easily under the radar threshold.

Despite the gain factor 2-3x is not very big, still it seems it has
attracted someones attention.

I am wondering if it worth to add a warning to STUN Security
Consideration about it?

Implementations should consider possibility of this type of attack.
As mitigation implementation may consider to limit the STUN response
only to send one attribute "XOR-MAPPED-ADDRESS", to reduce the gain
factor as close as possible to 1x.

Thanks,
Misi