LAST UPDATED: 2023-01-12
This report identifies accessible STUN (Session Traversal Utilities for NAT) servers on port 3478/udp. As described on Wikipedia, STUN is a standardized set of methods, including a network protocol, for traversal of network address translator (NAT) gateways in applications of real-time voice, video, messaging, and other interactive communications.
The STUN service is known to be a potential UDP message amplifier, that can be abused for reflected DDoS attacks. DDoS security considerations related to STUN can be found in RFC8445 “Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal”.
See RFC5389 for more details on the STUN protocol.
As of 2022-08-11 we find 101,146 STUN servers on IPv4, with an average amplification factor of 3.98 and median amplification factor of 4.40
As of 2022-08-11 we find 2,909 STUN servers on IPv6, with an average amplification factor of 5.85 and median amplification factor of 6.90
How we scan
We scan by sending a 20 byte blank STUN message:
\x00\x01\x00\x00\x21\x12\xa4\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 packet to port 3478/UDP. You can read more on the packet structure in the Phenomite research here.
We do not perform any intrusive checks on a discovered service.
You can track latest STUN scan results on the Shadowserver Dashboard.
Consider using STUN over TCP instead by default.
If your STUN service is accessible publicly unintentionally and you receive this report from us for your network or constituency make sure to firewall traffic to this service.
For more information on our scanning efforts, check out our Internet scanning summary page.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
This report has an IPv4 and IPv6 version.
Filename: scan_stun, scan6_stun