MEDIUM: Accessible STUN Service Report

DESCRIPTION LAST UPDATED: 2024-01-01

DEFAULT SEVERITY LEVEL: MEDIUM

Introduction

This report identifies accessible STUN (Session Traversal Utilities for NAT)  servers on port 3478/udp. As described on Wikipedia, STUN is a standardized set of methods, including a network protocol, for traversal of network address translator (NAT) gateways in applications of real-time voice, video, messaging, and other interactive communications.

The STUN service is known to be a potential UDP message amplifier, that can be abused for reflected DDoS attacks. DDoS security considerations related to STUN can be found in RFC8445 “Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal”.

See RFC5389 for more details on the STUN protocol.

As of 2022-08-11 we find 101,146 STUN servers on IPv4, with an average amplification factor of 3.98 and median amplification factor of 4.40

As of 2022-08-11 we find 2,909 STUN servers on IPv6, with an average amplification factor of 5.85 and median amplification factor of 6.90

How we scan 

We scan by sending a 20 byte blank STUN message: \x00\x01\x00\x00\x21\x12\xa4\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 packet to port 3478/UDP. You can read more on the packet structure in the Phenomite research here.

We do not perform any intrusive checks on a discovered service.

Dashboard

You can track latest STUN scan results on the Shadowserver Dashboard.

Mitigation

Consider using STUN over TCP instead by default.

If your STUN service is accessible publicly unintentionally and you receive this report from us for your network or constituency make sure to firewall traffic to this service.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report has an IPv4 and IPv6 version.

Filename: scan_stun, scan6_stun

 

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always UDP)
  • port
    Port that the response came from (typically port 3478)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to "stun"
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the identified device belongs to
  • transaction_id
    Used to correlate requests and responses
  • magic_cookie
    Used to demultiplex STUN traffic when there may be other traffic on the same port. It's value is always "2112a442"
  • message_length
    Total length of the STUN payload, excluding headers
  • message_type
    What the STUN response contains, Binding Success, Error, et cetera. "0101" is "Binding Success"
  • mapped_family
    Protocol family. "01" == "IPv4"
  • mapped_address
    The source address of the request received by the server will be the mapped address created by the NAT closest to the server.
  • mapped_port
    The port associated with the mapped_address
  • xor_mapped_family
    Protocol family. "01" == "IPv4". The xor_mapped_family contains the same info as the mapped_family, except that it is XOR'd with the magic_cookie
  • xor_mapped_address
    The source address of the request received by the server will be the mapped address created by the NAT closest to the server. The xor_mapped_address contains the same info as the mapped_address, except that it is XOR'd with the magic_cookie
  • xor_mapped_port
    The port associated with the xor_mapped_address. The xor_mapped_port contains the same info as the mapped_port, except that it is XOR'd with the magic_cookie
  • software
    Contains a textual description of the software being used by the agent sending the message and is supposed to contain a manufacture and a version number
  • fingerprint
    The CRC-32 of the STUN message, excluding the fingerprint value itself. The CRC-32 is XOR'd with the value "0x5354554e"
  • amplification
    The size of the response (excluding headers) divided by the size of the probe (excluding headers)
  • response_size
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","transaction_id","magic_cookie","message_length","message_type","mapped_family","mapped_address","mapped_port","xor_mapped_family","xor_mapped_address","xor_mapped_port","software","fingerprint","amplification","response_size"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,3478,node01.example.com,stun,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",000000000000000000000000,2112a442,64,0101,01,192.168.0.1,32839,01,192.168.0.1,32839,None,0xaf09db98,4.20,84
"2010-02-10 00:00:01",medium,192.168.0.2,udp,3478,node02.example.com,stun,64512,ZZ,Region,City,0,,,000000000000000000000000,2112a442,60,0101,01,192.168.0.2,59605,01,192.168.0.2,59605,"Huawei version 1.0",,4.00,80
"2010-02-10 00:00:02",medium,192.168.0.3,udp,3478,node03.example.com,stun,64512,ZZ,Region,City,0,,,000000000000000000000000,2112a442,60,0101,01,192.168.0.3,34417,01,192.168.0.3,34417,"Huawei version 1.0",,4.00,80

Our 130 Report Types