Reflection+Amplification attacks abusing TURN servers
Last week there were many messages in the coturn issue tracker about TURN instances being blocked by some cloud providers because it was detected that those servers were being used to attack other hosts. This is not new as Wire had already reported it and even suggested a mitigation some months ago. The attacks being carried out in this case are based on two properties of TURN servers: Reflection : A TURN server, by design, sends the responses to the TURN messages to the source IP of the Request. If an attacker is able to change his source IP address (spoofing) then it can direct the response of his TURN request to any other host he wants. Amplification : TURN responses are usually bigger than the corresponding requests. This is especially problematic for authentication error responses that must include a NONCE value to be used to attempt authentication properly based on the standard authentication defined in the protocol. We can see a real example of the second property in a commer...