5.1.4 STUN Amplification Attack

The Simple Traversal of UDP through NAT (STUN) amplification attack is similar to the voice amplification attack. Instead of media flow, the STUN connectivity checks are directed to the target of the denial of service attack. The malicious user proceeds by generating an offer with a large number of candidates for the denial of service target. The peer endpoint, after receiving the offers, performs connectivity checks with all the candidates specified on the offer. This malicious activity can generate a significant volume of data flow with STUN connectivity checks. This malicious activity cannot be completely prevented by this protocol, but the protocol can mitigate this type of malicious activity to a certain extent by limiting the total number of candidates that are sent in an offer or response to 20 candidates and 40 candidate pairs. In addition, this protocol relies on a secure signaling layer for offer exchanges of candidates and associated user names and passwords.