coturn
scansnarf-ng detected Portscan
scansnarf-ng detected an outgoing Portscan, with the SRC-PORT 3478 and the DST-PORT 1033 (UDP, SIZE 146), with 600 packages within a few seconds (18:15:40 to 18:15:46).
On that port a coturn was running. What could have caused that behavior? Was it a (security-)bug in coturn? Was it normal behavior and scansnarf simply misjudged what it is? Was coturn misconfigured (e.g. weak static auth secret)? (Sorry for opening the issue if it was the latter two.)
/etc/turnserver.conf
listening-port=3478
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=... (weak static secret)
realm=stun. ...
no-loopback-peers
no-multicast-peers
keep-address-family
no-cli
no-tlsv1
no-tlsv1_1
no-loopback-peers
no-multicast-peers
denied-peer-ip=... (with several long lists)
I used coturn from Debian/Devuan stable with version 4.6.1-1
The Hetzner Abuse team said it could be a reflection attack via STUN/TURN.
Might be fixed with https://github.com/coturn/coturn/pull/1588
We are also hosted by Hetzner. I sent them a link to this issue and asked for unblocking our v4-IP. Coturn is and will be disabled for the time being.
If can be of some help, at least in our Hetzner instance the traffic is from some AWS bot, currently we're dropping:
15.185.0.0/16 15.180.0.0/14 15.188.0.0/16 15.179.0.0/16 15.184.0.0/14
And from Indonesia: 103.170.105.0/24
As of now burst of traffic are still arriving, but are dropped at firewall level which should limit the amplification effect.
Just chiming in, same here. My server got IP-blocked by my hosting provider due to this. Very interesting that the timestamps in my logs match the time from the OP at exactly the same second. I've uninstalled for now.
This is not coturn security bug or weak secret That is what coturn does - relaying traffic into some other network
In most cases you would want to exclude internal network as a destination (while being able to connect 2 clients on public internet) using --denied-peer-ip=192.168.0.0-192.168.255.255 (using your actual network range)
