New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Coturn under attack? #1470
Comments
I see two log verbosity settings: verbose (lowercase) and Verbose (uppercase), which could be more intuitively named. A more typical naming convention for log levels is trace, debug, info, warning, error, fatal so that the verbosity can be increased or decreased. I tried switching from verbose to Verbose, which gave me more log entries, but I still see no IP that could be used to block malicious traffic. I also see suggestions in various GitHub issues to log to syslog and filter out the bad log entries. That's certainly better than logging everything to disk and running out of disk space. But logging bogus connections and filtering them out after the fact consumes CPU cycles that could be better used elsewhere and doesn't deter the attacker. If the attacker can send connection entries fast enough, they can DoS the TURN server. If we could use fail2ban or some other similar technique to outright block the connections, it would make a denial-of-service attack harder. At this point, I'm inclined to turn off logging entirely or route logs to /dev/null. This is a poor solution as it compromises logging and doesn't deter these malicious connections, but it's easier and less resource-intensive than filtering log data. :-\ |
We've decided to comment out both verbose and Verbose. We no longer see the unauthorized connection entries, but we don't seem to get any logging data at all. At least our servers aren't running out of disk space anymore, but this seems like a really poor solution to the issue. There ought to be a way to leverage a tool like fail2ban to find unauthorized connection entries in the logs, block those IPs from making future connections, and shield our COTURN servers from attack. |
We have the following coturn file:
And our server logs are filled with this:
It's logging so many entries so fast that the log file fills up the server's disk faster than we can clear it. Now I can turn off logging altogether—it's essentially compromised anyway—but rather than do that, I'd rather block the person chewing up compute/memory resources on my Coturn server.
I have two questions:
Thanks
Brad
The text was updated successfully, but these errors were encountered: