Disable binding logging to avoid DoS attack

* Add new option log-binding
2025-10-23 20:11:17 +02:00 · 2021-01-05 09:55:55 +00:00 · 2021-01-05 09:55:55 +00:00 · 27b261eb58
commit 27b261eb58
parent 86b78aa6fa
12 changed files with 43 additions and 12 deletions
--- a/2
+++ b/2
@ -25,6 +25,8 @@ Version 4.5.2 'dan Eider':
 		* Add ACME redirect url
 	- merge PR #551 (by jelmd)
 		* support of --acme-redirect <URL>
+	- Disable binding request logging to avoid DoS attacks. (Breaking change!)
+		* Add new --log-binding option to enable binding request logging

 24/06/2020 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
 Version 4.5.1.3 'dan Eider':
--- a/README.turnserver
+++ b/README.turnserver
@ -229,6 +229,8 @@ Flags:

 --new-log-timestamp-format    	<format>	Set timestamp format (in strftime(1) format)

+--log-binding					Log STUN binding request. It is now disabled by default to avoid DoS attacks.
+
 --secure-stun		Require authentication of the STUN Binding request.
 			By default, the clients are allowed anonymous access to the STUN Binding functionality.

--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@ -540,6 +540,10 @@
 # Set timestamp format (in strftime(1) format)
 #new-log-timestamp-format "%FT%T%z"

+# Disabled by default binding logging in verbose log mode to avoid DoS attacks.
+# Enable binding logging and UDP endpoint logs in verbose log mode.
+#log-binding
+
 # Option to set the "redirection" mode. The value of this option
 # will be the address of the alternate server for UDP & TCP service in the form of
 # <ip>[:<port>]. The server will send this value in the attribute
--- a/man/man1/turnadmin.1
+++ b/man/man1/turnadmin.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "15 December 2020" "" ""
+.TH TURN 1 "05 January 2021" "" ""
 .SH GENERAL INFORMATION

 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "15 December 2020" "" ""
+.TH TURN 1 "05 January 2021" "" ""
 .SH GENERAL INFORMATION

 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client
@ -345,6 +345,10 @@ Enable full ISO\-8601 timestamp in all logs.
 <format>        Set timestamp format (in \fBstrftime\fP(1) format)
 .TP
 .B
+\fB\-\-log\-binding\fP
+Log STUN binding request. It is now disabled by default to avoid DoS attacks.
+.TP
+.B
 \fB\-\-secure\-stun\fP
 Require authentication of the STUN Binding request.
 By default, the clients are allowed anonymous access to the STUN Binding functionality.
--- a/man/man1/turnutils.1
+++ b/man/man1/turnutils.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "15 December 2020" "" ""
+.TH TURN 1 "05 January 2021" "" ""
 .SH GENERAL INFORMATION

 A set of turnutils_* programs provides some utility functionality to be used
--- a/src/apps/relay/dtls_listener.c
+++ b/src/apps/relay/dtls_listener.c
@ -456,7 +456,7 @@ static int handle_udp_packet(dtls_listener_relay_server_type *server,
 		sm->m.sm.s = s;

 		if (s) {
-			if(verbose) {
+			if(verbose && turn_params.log_binding) {
 				uint8_t saddr[129];
 				uint8_t rsaddr[129];
 				addr_to_string(get_local_addr_from_ioa_socket(s),saddr);
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@ -168,7 +168,9 @@ DEFAULT_CPUS_NUMBER,
 0,  /* keep_address_family */
 0,  /* no_auth_pings */
 0,  /* no_dynamic_ip_list */
-0   /* no_dynamic_realms */
+0,  /* no_dynamic_realms */
+
+0   /* log_binding */
 };

 //////////////// OpenSSL Init //////////////////////
@ -605,6 +607,7 @@ static char Usage[] = "Usage: turnserver [options]\n"
 "						This option can be used, for example, together with the logrotate tool.\n"
 " --new-log-timestamp				Enable full ISO-8601 timestamp in all logs.\n"
 " --new-log-timestamp-format    	<format>	Set timestamp format (in strftime(1) format)\n"
+" --log-binding					Log STUN binding request. It is now disabled by default to avoid DoS attacks.\n"
 " --stale-nonce[=<value>]			Use extra security with nonce value having limited lifetime (default 600 secs).\n"
 " --max-allocate-lifetime	<value>		Set the maximum value for the allocation lifetime. Default to 3600 secs.\n"
 " --channel-lifetime		<value>		Set the lifetime for channel binding, default to 600 secs.\n"
@ -813,7 +816,8 @@ enum EXTRA_OPTS {
 	NO_SOFTWARE_ATTRIBUTE_OPT,
 	NO_HTTP_OPT,
 	SECRET_KEY_OPT,
-	ACME_REDIRECT_OPT
+	ACME_REDIRECT_OPT,
+	LOG_BINDING_OPT
 };

 struct myoption {
@ -948,6 +952,8 @@ static const struct myoption long_options[] = {
 				{ "secret-key-file", required_argument, NULL, SECRET_KEY_OPT },
 				{ "keep-address-family", optional_argument, NULL, 'K' },
 				{ "acme-redirect", required_argument, NULL, ACME_REDIRECT_OPT },
+				{ "log-binding", optional_argument, NULL, LOG_BINDING_OPT },
+
 				{ NULL, no_argument, NULL, 0 }
 };

@ -1607,6 +1613,9 @@ static void set_option(int c, char *value)
 	case NEW_LOG_TIMESTAMP_FORMAT_OPT:
 		set_turn_log_timestamp_format(value);
 		break;
+	case LOG_BINDING_OPT:
+		turn_params.log_binding = get_bool_value(value);
+		break;

 	/* these options have been already taken care of before: */
 	case 'l':
--- a/src/apps/relay/mainrelay.h
+++ b/src/apps/relay/mainrelay.h
@ -333,6 +333,8 @@ typedef struct _turn_params_ {
  int no_dynamic_ip_list;
  int no_dynamic_realms;

+  vint log_binding;
+  
 } turn_params_t;

 extern turn_params_t turn_params;
--- a/src/apps/relay/netengine.c
+++ b/src/apps/relay/netengine.c
@ -1668,7 +1668,8 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
 			 turn_params.oauth,
 			 turn_params.oauth_server_name,
 			 turn_params.acme_redirect,
-			 turn_params.keep_address_family);
+			 turn_params.keep_address_family,
+			 &turn_params.log_binding);
 	
 	if(to_set_rfc5780) {
 		set_rfc5780(&(rs->server), get_alt_addr, send_message_from_listener_to_client);
--- a/src/server/ns_turn_server.c
+++ b/src/server/ns_turn_server.c
@ -3832,13 +3832,13 @@ static int handle_turn_command(turn_turnserver *server, ts_ur_super_session *ss,
 							&dest_changed, &response_destination,
 							0, 0);

-				if(server->verbose) {
+				if(server->verbose && server->log_binding) {
 				  log_method(ss, "BINDING", err_code, reason);
 				}

 				if(*resp_constructed && !err_code && (origin_changed || dest_changed)) {

-					if (server->verbose) {
+					if (server->verbose && server->log_binding) {
 						TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "RFC 5780 request successfully processed\n");
 					}

@ -4014,7 +4014,7 @@ static int handle_old_stun_command(turn_turnserver *server, ts_ur_super_session
 						&dest_changed, &response_destination,
 						cookie,1);

-			if(server->verbose) {
+			if(server->verbose && *(server->log_binding)) {
 			  log_method(ss, "OLD BINDING", err_code, reason);
 			}

@ -4929,7 +4929,8 @@ void init_turn_server(turn_turnserver* server,
 		int oauth,
 		const char* oauth_server_name,
 		const char* acme_redirect,
-		int keep_address_family) {
+		int keep_address_family,
+		vintp log_binding) {

 	if (!server)
 		return;
@ -5001,6 +5002,8 @@ void init_turn_server(turn_turnserver* server,
 	server->keep_address_family = keep_address_family;

 	set_ioa_timer(server->e, 1, 0, timer_timeout_handler, server, 1, "timer_timeout_handler");
+
+	server->log_binding = log_binding;
 }

 ioa_engine_handle turn_server_get_engine(turn_turnserver *s) {
--- a/src/server/ns_turn_server.h
+++ b/src/server/ns_turn_server.h
@ -176,6 +176,9 @@ struct _turn_turnserver {

 	/* Keep Address Family */
 	int keep_address_family;
+
+	/* Log Binding Requrest */
+	vintp log_binding;
 };

 const char * get_version(turn_turnserver *server);
@ -222,7 +225,8 @@ void init_turn_server(turn_turnserver* server,
 				    int oauth,
 				    const char* oauth_server_name,
 					const char* acme_redirect,
-					int keep_address_family);
+					int keep_address_family,
+					vintp log_binding);

 ioa_engine_handle turn_server_get_engine(turn_turnserver *s);