Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Simple Traversal of UDP through NAT (STUN) amplification attack is similar to the voice amplification attack. Instead of media flow, the STUN connectivity checks are directed to the target of the denial of service attack. The malicious user proceeds by generating an offer with a large number of candidates for the denial of service target. The peer endpoint, after receiving the offers, performs connectivity checks with all the candidates specified in the offer. This malicious activity can generate a significant volume of data flow with STUN connectivity checks. This malicious activity cannot be completely prevented by this protocol, but the protocol can mitigate this type of malicious activity to a certain extent by limiting the total number of candidates that are sent in an offer and response to 20 candidates and 40 candidate pairs. This protocol mitigates the similar attack of generating multiple provisional answers to an offer by limiting the number of provisional answers supported. In addition, this protocol relies on a secure signaling layer for offer exchanges of candidates and associated user names and passwords.