Skip to content

Latest commit

 

History

History
147 lines (111 loc) · 10.8 KB

mitigations.md

File metadata and controls

147 lines (111 loc) · 10.8 KB

Mitigation Strategies Analysis for coturn/coturn

Mitigation Strategy: Rate Limiting and Connection Limiting (coturn-native)

  • Mitigation Strategy: Rate Limiting and Connection Limiting (coturn-native)

    • Description:

      1. Identify Resources: Determine the critical resources to protect within coturn: bandwidth (bps), connections per IP, and total allocations.
      2. Baseline Usage: Analyze typical usage patterns using coturn's logs to establish reasonable baseline limits.
      3. Set Initial Limits (Aggressive): In turnserver.conf, set very low initial values for:
        • --max-bps: Maximum bandwidth per user (bits per second).
        • --user-quota: Bandwidth quota per user (bytes).
        • --quota: General bandwidth quota.
        • --max-connections-per-ip: Maximum simultaneous connections from a single IP address.
        • --max-allocate-lifetime: Maximum lifetime of a TURN allocation.
      4. Monitor and Adjust: Continuously monitor coturn's logs (--log-file, --syslog) for blocked requests due to rate limiting. Gradually increase limits only as needed, based on legitimate user needs.
      5. Realm-Specific Limits: If using multiple realms (realm option in turnserver.conf), configure different rate limits for each realm, reflecting varying trust levels and usage expectations.

    • Threats Mitigated:

      • DoS/DDoS Amplification Attacks (UDP Reflection): (Severity: High) - Limits the bandwidth and connection resources an attacker can exploit for amplification.
      • Unauthorized Relay Usage (Theft of Service): (Severity: Medium) - Limits the resources a single unauthorized user can consume.
      • Resource Exhaustion: (Severity: Medium) - Prevents users (legitimate or malicious) from exhausting server resources managed by coturn.

    • Impact:

      • DoS/DDoS Amplification: High reduction in risk. Properly configured rate limiting within coturn is essential.
      • Unauthorized Relay Usage: Medium reduction in risk. Limits the damage, but authentication is the primary defense.
      • Resource Exhaustion: High reduction in risk. Prevents resource starvation within coturn.

    • Currently Implemented:

      • turnserver.conf: All mentioned rate limiting and connection limiting options (max-bps, user-quota, quota, max-connections-per-ip, max-allocate-lifetime) are directly configurable within coturn.

    • Missing Implementation:

      • Dynamic Rate Limiting: coturn does not natively support dynamic adjustment of these limits based on real-time conditions. This would require external scripting and is not a direct coturn feature.

Mitigation Strategy: Strong Authentication and Authorization (coturn-native)

  • Mitigation Strategy: Strong Authentication and Authorization (coturn-native)

    • Description:

      1. Disable Anonymous Access: Ensure that the --no-auth option is not present or is explicitly set to disable anonymous relaying in turnserver.conf.
      2. Choose Authentication Method:
        • Long-Term Credentials: Use strong, unique passwords for each user, configured in the user database (e.g., --userdb).
        • Short-Lived Credentials: Enable short-lived credential mechanism using --lt-cred-mech. This requires an external mechanism (like a REST API) to generate the credentials, but coturn handles the validation.
      3. Realm Configuration: Define realms using the realm option in turnserver.conf to segment users and apply different access policies (including different rate limits, as described above).
      4. Use --user option to run coturn as non-root user.

    • Threats Mitigated:

      • Unauthorized Relay Usage (Theft of Service): (Severity: High) - Prevents unauthorized users from accessing the relay service.
      • Credential-Based Attacks (Partial): (Severity: Medium) - While coturn doesn't directly handle account lockout or 2FA, strong passwords and short-lived credentials reduce the impact of credential stuffing and brute-force attacks.

    • Impact:

      • Unauthorized Relay Usage: High reduction in risk. Authentication is the primary defense against unauthorized access within coturn.
      • Credential-Based Attacks: Medium reduction in risk. Reduces the effectiveness of attacks, but external systems are needed for full mitigation (e.g., account lockout).

    • Currently Implemented:

      • turnserver.conf: Supports authentication with long-term credentials (--userdb), short-lived credentials (--lt-cred-mech), and realm configuration (realm).
      • --user: Supports running as non-root user.

    • Missing Implementation:

      • Two-Factor Authentication (2FA): Not a native coturn feature.
      • Account Lockout: Not a native coturn feature.
      • Automated Credential Rotation: Not a native coturn feature (for long-term credentials).

Mitigation Strategy: IP Address Filtering (coturn-native)

  • Mitigation Strategy: IP Address Filtering (coturn-native)

    • Description:

      1. Identify Trusted IPs: Determine the IP addresses or ranges of legitimate clients that should be allowed to access the coturn server.
      2. Identify Untrusted IPs: If possible, identify IP addresses or ranges known to be associated with malicious activity.
      3. Configure turnserver.conf:
        • --allowed-peer-ip: Specify allowed IP addresses or ranges.
        • --denied-peer-ip: Specify denied IP addresses or ranges.
      4. Prioritize Allow Rules: Generally, it's more secure to use --allowed-peer-ip to explicitly whitelist trusted IPs, rather than relying solely on --denied-peer-ip.

    • Threats Mitigated:

      • Unauthorized Access: (Severity: Medium to High) - Prevents access from untrusted IP addresses. Effectiveness depends on the ability to accurately identify trusted IPs.
      • DoS/DDoS Attacks (Partial): (Severity: Medium) - Can help block attacks from known malicious sources, but rate limiting is still essential.

    • Impact:

      • Unauthorized Access: Medium to High reduction in risk, depending on the feasibility of IP whitelisting.
      • DoS/DDoS Attacks: Low to Medium reduction in risk. Provides some protection, but is not a primary defense.

    • Currently Implemented:

      • turnserver.conf: --allowed-peer-ip and --denied-peer-ip options are directly supported.

    • Missing Implementation:

      • Dynamic IP Filtering: coturn does not natively support dynamic updates to these lists based on real-time threat intelligence.

Mitigation Strategy: Secure TLS Configuration (coturn-native)

  • Mitigation Strategy: Secure TLS Configuration (coturn-native)

    • Description:

      1. Obtain Valid Certificate: (External step, but required for coturn's TLS) Obtain a valid TLS certificate from a trusted CA.
      2. Configure turnserver.conf:
        • --cert: Specify the path to the TLS certificate file.
        • --pkey: Specify the path to the TLS private key file.
        • --tls-listening-port: Enable the TLS listening port (e.g., 5349).
        • --cipher-list: Specify a list of strong TLS cipher suites. Disable weak or outdated ciphers. Consult current best practices for cipher suite selection (e.g., Mozilla's recommendations).
        • --no-tlsv1, --no-tlsv1_1, etc.: Disable older, less secure TLS versions as appropriate.
      3. Disable Unnecessary Features: If you don't need TCP relaying, disable it (--no-tcp-relay).

    • Threats Mitigated:

      • Man-in-the-Middle (MITM) Attacks (on TLS connections): (Severity: High) - Prevents attackers from intercepting and decrypting TLS-encrypted traffic.
      • Eavesdropping (on TLS connections): (Severity: High) - Protects the confidentiality of data.

    • Impact:

      • MITM Attacks: High reduction in risk. Proper TLS configuration within coturn is essential.
      • Eavesdropping: High reduction in risk. Ensures confidentiality.

    • Currently Implemented:

      • turnserver.conf: All mentioned TLS configuration options (--cert, --pkey, --tls-listening-port, --cipher-list, --no-tlsv1*) are directly supported.

    • Missing Implementation:

      • Automated Certificate Renewal: Not a native coturn feature.
      • OCSP Stapling Configuration: While the underlying OpenSSL library might support it, coturn may not have explicit, dedicated configuration options.

Mitigation Strategy: Feature Disabling

  • Mitigation Strategy: Feature Disabling

    • Description:

      1. Identify Required Features: Determine the minimum set of coturn features required for your use case. For example, if you only need STUN, disable TURN. If you don't need TCP relaying, disable it.
      2. Configure turnserver.conf:
        • --no-turn: Disable TURN functionality.
        • --no-tcp: Disable TCP listening.
        • --no-tcp-relay: Disable TCP relaying.
        • --no-udp: Disable UDP listening (use only if you only need TCP).
        • --no-dtls: Disable DTLS.
        • --no-tls: Disable TLS.
      3. Minimize Configuration: Remove any unnecessary configuration options from turnserver.conf.

    • Threats Mitigated:

      • Vulnerabilities in Unused Features: (Severity: Medium) - Reduces the attack surface by disabling features that could contain vulnerabilities.
      • Resource Consumption: (Severity: Low) - Reduces the resources (CPU, memory) consumed by coturn.

    • Impact:

      • Vulnerabilities in Unused Features: Medium reduction in risk. The fewer features enabled, the smaller the attack surface.
      • Resource Consumption: Low reduction in risk, but can improve performance.

    • Currently Implemented:

      • turnserver.conf: All mentioned feature disabling options (--no-turn, --no-tcp, --no-tcp-relay, --no-udp, --no-dtls, --no-tls) are directly supported.

    • Missing Implementation:

      • None. This strategy is fully implemented through existing configuration options.