I was wondering if there was a particular firewall rule, or a particular configuration for coTURN that could prevent it from being used in reflection attacks. I had coTURN exposed to the world a year or two ago so that my family and I could use Nextcloud Talk to do voice and video calling from outside the home. Everything was working great, but I noticed in the logs one day some traffic from an odd IP address and after establishing contact with the company on the other end, learned the the TURN service on my server was basically being used as a node in a reflection attack against one of their clients. Basically, somebody would send malformed traffic on the TURN port and the server would redirect that traffic to an intended target. Not nearly as serious as an actual data breach, but also not something you want happening.
What I ended up doing was just disabling the public visibility of TURN in my router and just setting up a home VPN server that everybody’s phones are always connected to, but I’m wondering if there isn’t something I missed that could have prevented the issue in the first place. Anybody have any input?
My server is running Debian stable with Nextcloud installed via the tarball and a manual Apache webserver setup.