-
Wiktor
moparisthebest, didn't see SRV in the linked draft so how is the port discovery being done in QUIC?
-
jonas’
how is port discovery done in TCP?
-
jonas’
moparisthebest, are you confuslating QUIC and HTTP/3 there?
-
christian
nmap?
-
jonas’
christian, no offense, but I’d really appreciate it if you could read more than the last two lines of backlog before replying. Thanks! :)
-
christian
jonas’: today are only two.
-
jonas’
christian, maybe use a client with MUC-MAM support then
-
jonas’
or check the logs online at https://logs.xmpp.org/operators/ if that’s not an option
-
jonas’
re-winding the conversation context of the past day is exhasutign✎ -
jonas’
re-winding the conversation context of the past day is exhausting ✏
-
christian
jonas’: okay. Sorry for disturbing.
-
jonas’
christian, thanks!
-
kahlb
Are there actually ddos attacks using STUN services as a reflector or only the theoretical possibility? I've never seen one an there are way "better" opportunities.
-
Ge0rG
kahlb: there are actual attacks
-
kahlb
Are there any resources about it? Analysis? I'm really interested.
-
christian
there are some script kiddies who discovered "ping -f" and some security guys who feel important :)))
-
jonas’
kahlb, tcpdump -enni any port 3478 ;)
-
kahlb
jonas’, the theoretical possibility is out of question. But is there a real danger, like booter services actually doing this? I see no reason why they should as long as there are so many highly efficient reflectors out there.
-
kahlb
on my system there is no suspicios traffic. Exploiting a reflectro always requires a scan in advance, so maybe i'm safe. But in ddos traffic from larger attacks I've seen lately I never saw anything stun related
-
tom
Is that what these are: » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:57 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974814: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:58 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:59 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:59 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:59 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » Apr 30 00:45:59 web turnserver: 974815: session 001000000000133270: realm <> user <>: incoming packet BINDING processed, success » (END) »
-
tom
It's creating like a gigabyte of logs per day
-
christian
I am no logging at all stun.
-
kahlb
jonas’, Okay, but that's rather ddosing yourself rather than anybody else. What is the target of the attack?
-
kahlb
s/ddosing/dosing
-
jonas’
tom, yess, that looks relevant
-
jonas’
kahlb, we don’t know what the goal is.
-
jonas’
just that it is happening in practice
-
tom
Is there a way to actually filter this
-
tom
Because i'm not going to do security by obscurity by changing port numbers
-
tom
If there's some way to definitively tell what is attack traffic and what's not
-
tom
Either an nftables rule or some kind of logging+fail2ban I'm all for that and will implement fixes
-
tom
Otherwise I don't really care
-
tom
Who is being ddosed anyways?
-
kahlb
jonas’, the target of a reflector attack is alway the (spoofed) source ip, so you shoud see it in your tcpdump. If it's alway the same, just filter it.
-
tom
Techniclly you can reflection attack someone with TCP RST
-
tom
What am I to do, stop sending TCP resets?
-
jonas’
kahlb, been there it’s not that easy
-
tom
Btw, I'm showing 52.113.61.170 being attacked
-
tom
Which is Microsoft Corporation
-
ralphm
Like Azure hosting?
-
tom
I'm not really in a rush to do any favors to a corporation who I spent the last 2/3 decades protesting the war against open standards and protocols
-
tom
*their
-
tom
Or a corporation who patent trolls
-
jonas’
ralphm, I don’t know if azure is a separate AS, the whois of that IP only points at MSFT :/
-
jonas’
I also wish I knew
-
tom
Or is a member of the PRISM mass surveillance program
-
tom
You all remember skype? Or internet explorer
-
Licaon_Kter
tcpdump says continously :( ``` 07:55:21.376197 In MAC ethertype IPv4 (0x0800), length 64: SOMEIP.3479 > MYLANIP.3478: UDP, length 20 07:55:21.377734 Out MAC ethertype IPv4 (0x0800), length 96: MYLANIP.3478 > SOMEIP.3479: UDP, length 52 ``` ...have I got the disease?
-
tom
Or outlook blocking your mail server
-
jonas’
Licaon_Kter, likely
-
jonas’
though, that looks more fun
-
Licaon_Kter
tom: saw the same IP too iirc
-
jonas’
because it’s source port 3479
-
kahlb
52.113.61.170 is MS Azure.
-
Licaon_Kter
Now it's 137.74.0.162
-
jonas’
kahlb, how do you know?
-
jonas’
Licaon_Kter, hm, OVH, haven’t seen that yet.
-
Licaon_Kter
Some reverse ip online tools yielded nothing, but one mentined ns1.azure though
-
ralphm
You can download the IP ranges Azure uses
-
Licaon_Kter
Now it stopped...
-
kahlb
137.74.0.162 is a TS3 Server. Actually a potential target for DDoS
-
Licaon_Kter
.162 used port 9987
-
Licaon_Kter
And...it's back .162:9987
-
ralphm
kahlb: so it may be part of a botnet
-
Ge0rG
I've changed the STUN/TURN port to a random one two weeks ago, and I'm still receiving ingress traffic on 3478
-
Licaon_Kter
20 in 52 out means >2x
-
tom
Yeah just got that change to
-
tom
137.74.0.162
-
tom
It's weird that the sourceport is always the same
-
tom
9987
-
tom
They are hitting my server with 9987 as well
-
jonas’
ralphm, I don’t think that the .162 is the true source
-
Licaon_Kter
Looks like I'll change the port then, daaaammit
-
jonas’
Licaon_Kter, tcpdump does not count IP headers, you have to add 44 bytes to that IIRC.✎ -
tom
No it's not that just the attack target
-
jonas’
Licaon_Kter, tcpdump does not count IP and UDP headers, you have to add 44 bytes to that IIRC. ✏
-
kahlb
Ge0rG, because the attackers only scan once or every few months. They don't get an idea if your IP is still a usable reflector, only if they scan again.
-
tom
This happens because ISPs don't implement BCP38, so you can spoof the ip address of anybody
-
jonas’
Licaon_Kter, tcpdump does not count IP and UDP headers, you have to add ~44 bytes~ 28 bytes(?) ✏
-
jonas’
kahlb, we changed ports >2w back.
-
jonas’
IIRC.
-
tom
redacted.3478 > 137.74.0.162.9987: [bad udp cksum 0x979f -> 0x4ff1!] UDP, length 108
-
tom
Hey
-
tom
Half these packets have bad checksums too
-
jonas’
tom, that’s not ral✎ -
jonas’
tom, that’s not real ✏
-
tom
Whoever the ddoser is they aren't very skilled
-
kahlb
Here is some really good literature for those who want to dig in: https://christian-rossow.de/publications/amplification-ndss2014.pdf
-
jonas’
that is the packet your server sends, and depending on offloading settings, checksums are not correct (yet) when tcpdump sees tem
-
tom
Bad checksums and using the same source port continuously
-
jonas’
so you are "sending" a bad checksum in that line, not them
-
kahlb
Rossow has a few more publications about it, all are worth reading.
-
tom
The only problem is, there's a bug in linux's nft where it blocks some needed ipv6 multicast if you enable bogon filtering
-
tom
Oh my bad your right
-
tom
That's my packet
-
tom
Hey it stopped
-
tom
Did it stop for anyone else as well ?
-
christian
Isn't dnssec making the spoofing harder?
-
kahlb
christian, no, dns has nothing to do with this.
-
tom
The problem is ISPs are too lazy to implement https://tools.ietf.org/html/bcp38 on their core router
-
tom
Which makes ip spoofing impossible
-
tom
Oh, they are back
-
Licaon_Kter
> Did it stop for anyone else as well ? It's on and off Changed ports so it's quiet for now That being said, it means all A/V is now forced through TURN, right?✎ -
Licaon_Kter
> Did it stop for anyone else as well ? It's on and off Changed ports so it's quiet for now 215 to the rescue ✏
-
tom
Here's an idea
-
tom
Log every binding request along with a timestamp and auto-ban ips that do over 120 binding requests /minute
-
tom
I can't think if a scenario where there would be that many binding requests from the same ip per minute
-
tom
*of
-
tom
What do you think?
-
tom
Now if i can see how to configure coturn to log the info
-
Holger
`verbose`
-
Ge0rG
tom: this approach has a problem where the attackers will still see your server as a reflector on their scans, and then still abuse you.
-
tom
Sure some packets will sneak through, but they can't use your server for very long
-
tom
At least
-
tom
They'd have to keep changing source ips
-
jonas’
tom, 120 / minute is hard to measure.
-
tom
Fail2ban could do that
-
jonas’
that’s 2/second
-
tom
Which they are exceeding
-
tom
I'm showing ~15/second
-
jonas’
problem with 2/second is, a legitimate call can produce that
-
jonas’
also, gentle reminder that this is a public place and the attacker(s) may be listening in
-
jonas’
be careful which countermeasures and details you share publicly
-
tom
» problem with 2/second is, a legitimate call can produce that 2 binding requests per second for 1 minute?
-
tom
That's why i said per minute not per second
-
jonas’
no, not for one minute. just saying that measuring this correctly is fun
-
tom
Ok
-
tom
I just want to say that coturn's configuration file options and syntax is terrible
-
tom
Wish there was a better turn server I could use
-
jonas’
eturnal? :)
-
jonas’
also, run your coturn with --prod to shave 20 bytes off the response :)
-
tom
I'll check that out
-
kahlb
The best thing would be: identify the scanner IP and blacklist it. Additionally take some of the countermeasures you just mentioned. As long as the scanner IP doesn't change it'd stop considering your system as vulnerable and the attacks would stop. But it's difficult to find these IPs. Best: Find systems *without* stun, search their firewall logs for UDP attempts on port 3478 and look wher they're coming from, since that can't be legit traffic. Hopefully there aren't so many, when in doubt just block em all. Maybe we should consider a public blacklist, though that could lead to countermeasures from attackers.
-
tom
kahlb: idk
-
tom
Trying to stop scanning on the internet seems like a fool's errand
-
kahlb
you can't stop scanning. But you can stop your system being identified as a reflector. At least up to some point.
-
tom
» --secure-stun » Require authentication of the STUN Binding request. By default, the clients are allowed anonymous access to the STUN Binding functionality. »
-
Martin
Makes it worse as the reply gets larger afaik.
-
croax
When media session between 2 contacts on different servers, does each contact use its own STUN/TURN or only caller one?
-
tom
Ge0rG: jonas’ you should definitely turn on secure-turn first
-
tom
That way, all your legit users of your turn server will be differentiated from ddos spoof users
-
tom
Then it will be much easier to instead of block on n binding requests per minute, block on n 401 UNAUTHORIZEDs per minute
-
Holger
croax, both might or might not be used. It doesn't depend on who is the caller.
-
tom
However, coturn has an absolute garbage logging syntax where things will need to be matched on multiple lines
-
Holger
tom, I'm slightly biased but do believe eturnal's logging is way better.
-
Holger
And config 🙂
-
tom
Thanks. I will be checking that out, I just can't change turn/stun servers today
-
Holger
tom, main downside I see is, no official distro packages (yet).
-
Holger
croax, basically if your client isn't reachable directly by your peer, your TURN server is used.
-
Holger
croax, so if neither your nor your peer's client is directly reachable, both TURN servers are used.
-
croax
Holger: thanks for clarification.
-
jonas’
tom, except that this is about STUN, not TURN
-
tom
jonas’: still applicable
-
jonas’
tom, question is: is the Not Authorized reply even larger? (IIRC the answer is "yes")
-
jonas’
and as I understand the curent state of STUN/TURN/WebRTC affairs (and as we discussed yesterday), (legitimate) clients *have to* first fail authentication before they can authenticate because of challenge/response nonsense
-
Holger
Yes.
-
Holger
First auth step is to receive an UNAUTHORIZED response from the server.
-
Holger
tom: > --secure-stun Do you use that? I would've been unsure whether e.g. libwebrtc copes with that.
-
tom
It does
-
tom
Nextcloud works with that too
-
Holger
Interesting. (I wonder what the point is though.)
-
jonas’
more traffic, of course
-
tom
Do you wanna test it yourself?
-
tom
Send some p2p file transfer with jingle
-
Holger
I asked a random guy on the Internet specifically because I've always been too lazy to test myself :-P
-
Holger
Because I didn't see any point anyway. Until we had that short-term-auth idea yesterday: If libwebrtc supports short-term _and_ has a code path for authenticated STUN, maybe things would just work. Maybe.
-
jonas’
and we get the STUN servers to STFU on authentication failure.
-
jonas’
or maybe it doesn’t matter anymore then because the proper request packet is already large enough
-
Holger
I'd be way more afraid of submitting libwebrtc patches than of patching STUN servers.
-
jonas’
worth a shot I guess
-
tom
Good
-
jonas’
except that it needs someone to write the code
-
Holger
I mean the Coturn guy is quite responsive, but who knows how easy it is to convince Google to merge some functionality eveyone else considers outdated.
-
jonas’
Holger, did you already talk to coturn about short-term-auth?
-
jonas’
I mean worst case we have to go through IETF to convince folks
-
Holger
jonas': No I didn't talk to him but I mean you could look at the old code for the short-term-auth support, and I guess an option to drop other traffic is trivial.
-
jonas’
question is why it was removed
-
jonas’
if they would be interested in readding it
-
Holger
As I said nobody uses it.
-
jonas’
is that why it was dropped or is that your guess why it was dropped?
-
Holger
But Coturn is a bloated monster, I doubt he'll strongly oppose re-adding it if you use it.
-
Holger
My guess.
-
jonas’
:)
-
Holger
Why else would it be dropped.
-
jonas’
undisclosed security issue; impossibility to integrate with the remaining architecture; ...
-
Holger
I could add it to eturnal, you post an issue that Coturn is missing that feature in comparison and he'll add the code himself :-)
-
Holger
Nah.
-
Holger
And I don't think you need the IETF for a `drop-other-traffic` option.
-
jonas’
but for a PoC we can easily go ahead with just eturnal
-
Holger
Yes. I'm just trying to explain why I think the real question is whether libwebrtc supports it.
-
Holger
https://webrtc.googlesource.com/src/
-
Holger
I'll have a look
-
jonas’
-EATWORK, otherwise I’d look too
-
Holger
I keep re-cloning that into /tmp once every three months. Because this is the very last time I'm interested in it ...
-
jonas’
I think you need to accept your fate that you’re now a webrtc person ;)
-
Holger
Doesn't look like libwebrtc supports short-term.
-
tom
Ah yes
-
tom
Goolag Korporation
-
jonas’
Holger, any clue how a client using libwebrtc would indicate to it that it is supposed to use short term instead of long term?
-
jonas’
could libwebrtc just *try* short term and then fall back to long term based on the response to short term, or does that not work in stun?
-
Holger
And now I remember that the TURN RFC has strong language towards long-term auth. (I had a discussion on whether to interpret it as long-term being mandatory last year or so. Why didn't I remember any of that yesterday? My brain is useless.)
-
Holger
The idea as per the STUN RFC is that client and server know what auth mechanism to expect before-hand. I.e. I'd imagine the libwebrtc user (Conversations) to specify a "do short-term" flag.
-
Holger
You obviously can't signal the desired mechanism without adding a round-trip, which is precisely the thing we'd like to avoid.
-
Holger
From the TURN RFC: ``` The server MUST require that the request be authenticated. This authentication MUST be done using the long-term credential mechanism of [RFC5389] unless the client and server agree to use another mechanism through some procedure outside the scope of this document. ```
-
Holger
So there *is* a bit of room for an out-of-scope procedure :-)
-
Holger
``` [RFC5389] specifies an authentication mechanism called the long-term credential mechanism. TURN servers and clients MUST implement this mechanism. The server MUST demand that all requests from the client be authenticated using this mechanism, or that a equally strong or stronger mechanism for client authentication is used. ```
-
Holger
Those sentences won't make it easier to convince Google I guess ...
-
Holger
Maybe just change ports, call it a day, and spend your time on MIX :-P
-
Holger
I'm not _that_ concerned about the actual problem, but it _is_ a little annoying how the specs basically have exactly the thing that would make sense for our use case. And generally for the WebRTC use case.
-
jonas’
yeah
-
jonas’
annoying
-
jonas’
> Why didn't I remember any of that yesterday? page faults take a while to service also in human brains ;)
-
moparisthebest
That RFC text is odd no? "You MUST do X, unless you don't want to"
-
moparisthebest
Sounds like a SHOULD
-
croax
There _must_ be an auth mechanism. Long-term or equivalent/stronger. But no weaker/none. _Should_ would allow _none_ AFAIK
-
Holger
The first of my above two quotes doesn't contain the "stronger" part though.
-
Holger
Which makes no sense for a protocol spec anyway.
-
Holger
And saying "client and server can agree on breaking the spec in arbitrary ways" is stating the obvious.
-
Holger
So effectively this does work like a proper MUST. A TURN client can assume the TURN server to support long-term auth, no need to check/negotiate that in any way.
-
rob
Just scored colloquy.ca 🤓 now I have a generic donation for friends✎ -
octagon
Hmm, I changed my port yesterday but am still seeing many requests a second to 3478
-
menel
That's because of what what someone else postet > because the attackers only scan once or every few months. They don't get an idea if your IP is still a usable reflector, only if they scan again.
-
menel
Until you are out of every list they collected it will continue
-
menel
So now you are doing your part in diluting the attack 😀
-
menel
Wasting resources of the attackers
-
moparisthebest
so with normal STUN usage is it request> response > request > response ? or just a single request > response ?
-
Licaon_Kter
I don't see why they can't request continously...
-
moparisthebest
Licaon_Kter, because if the protocol expects a second response, you can identify clients that don't do this and ignore them (preventing spoofing)
-
jonas’
moparisthebest, with *un*authenticated *STUN*, it is request > response; with authenticated STUN it is request > response > request > response.
-
jonas’
but AIUI authenticated STUN response on missing auth is (a) required for legitimate clients to work and (b) larger.
-
rob
Just scored colloquy.ca 🤓 now I have a generic domain for friends ✏
-
octagon
slightly offtopic: loading a large ipset on fedora/rh causes each cidr insert to be checked against the selinux policy and not completely inserted. a list with a few thousand cidr's quickly ends up using 20+GB of ram. anyone have any insight about htis?
-
octagon
the same script works on debian, and only uses <200MB ram
-
moparisthebest
at least that has an easy solution: turn off selinux
- moparisthebest runs