How to prevent abuse by using amplification/reflection DoS attack?

[paulmenzel]

The DFN-CERT sent the warning below for our STUN server:

Ereignistyp:  Configuration/Amplifier
Zeitstempel:  2023-12-03 02:27:47+00:00
Anzahl:       4
Beschreibung: Auf dem System scheint ein Dienst betrieben zu werden, der
             potentiell für reflektierte DoS-Angriffe genutzt werden
             kann. Das heißt dieser Dienst antwortet auf Anfragen mit
             gefälschter Absenderadresse und schickt dabei Antworten die
             ein vielfaches der Größe der Anfrage haben.

Zuletzt gesehen            IP-Protokoll  Port  Dienst
---------------------------------------------------------
2023-12-01 02:27:33+00:00  UDP            3478  STUN
2023-12-01 02:27:33+00:00  UDP            3478  STUN
2023-12-02 07:55:22+00:00  UDP            3478  STUN
2023-12-03 02:27:47+00:00  UDP            3478  STUN

As I am ignorant about these things, could a security section be added to the README, what risks are to be weighed?

[licaon-kter]

Change the default ports for starters.

XMPP clients will get the info via XEP-0215.

[weiss]

The DFN-CERT sent the warning below for our STUN server

We got the same email 😄

Unfortunately, there's no proper fix, as:

1. per the spec, servers reply to unauthenticated requests, and
2. it's not possible to reduce the amplification factor to 1 without breaking compatibility (at least the factor isn't anywhere as bad as with some other protocols, e.g. DNS).

As for workarounds, the only general recommendation is the one @licaon-kter mentioned, i.e. using a non-standard port. I guess the DFN-CERT might still discover you, but chances are the script kiddies won't. I was pondering with adding this hint to the documentation indeed.