After running a TURN server for a few days I noticed, that it has been detected by the black hat guys and using it for amplification attacks against Microsoft, Google, etc.
This was quite tricky to detect as with default logging configuration even in verbose mode of coturn it was not visible in the logs until option “log-binding” was activated.
I just wanted to point out that this attack is even possible if authentication is enforced due to the nature of STUN seeing an amplification factor of still 2.2 in my setup.
So to find out what would be the beste route to increase resilience it would be helpful to know the way Jami uses TURN so server could be locked down further by disabling features which are unnecessary for Jami. So maybe someone has some insight about the following questions?
- Is Jami also using the configured TURN server for STUN or only for TURN?
- Is Jami using also UDP for connections to the TURN server (not on the peer side)?
- Does Jami support (D)TLS for connections to the TURN server?
From what I think I have found out so far it seems like follows:
- no
- yes
- no
Another approach I found could be to implement fail2ban to block malicious IPs, however due to the nature of the attack this would not block the real attacker but prevent to attack the victims. I think the specific pattern of the attack here was identified to write custom fail2ban filters.
Thanks for your help.