Default turnserver Configuration Lacks no-udp, Enabling Reflection Attacks

Open 53c70r opened this issue 7 months ago • 3 comments

The current default configurations for the turnserver appear to not have the no-udp options enabled by default.

This default setting introduces a significant security risk, as it exposes the TURN server to Reflection Attacks via UDP.

May 28 '25 13:05 53c70r

https://github.com/coturn/coturn/pull/1588

May 29 '25 08:05 53c70r

All the STUN traffic and most of the TURN traffic is UDP. Enabling "no-udp" will have impact on media quality.

May 29 '25 09:05 ggarber

I suspect we should monitor 1588 for an upstream fix. This is currently a mitigation, and a true technical solution would likely require completely disabling UDP, which isn't feasible. What do you think?

May 29 '25 16:05 53c70r