Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: STUN traffic - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
STUN traffic
I'm seeing firewall log entries for several users attempting to go to UDP port 3478 (STUN) at address It looks like an unregistered address in APNIC. I haven't been able to isolate what is generating the traffic. Anyone else seeing something similar? Tom

2 Posts
My lookup of that IP address puts it in Amazon cloud space (ASN 14618), not APNIC. Jim

423 Posts
ISC Handler
Thank you. You are correct, I fat-fingered the whois. Tom

2 Posts
I am seeing lots of stun traffic to Does anyone know what it is? Sycckd

2 Posts
Haven't found anything malicious associated with this Amazon IP address (yet).

436 Posts
ISC Handler
I couldn't find anything malicious either but its been going on for months and there seem to be more and more hosts trying to get out. Sycckd

2 Posts
I have also seen an increasing amount of traffic to this IP from hosts on our network. I have combed through the IDS data and am unable to find any clues so far as to what's causing it all of the sudden. Anonymous

I too have been monitoring this activity for a couple months as it seems to be increasing in volume. Last night I zeroed-in on a particular PC that generated STUN binding requests to every few minutes all night long. These UDP packets were being blocked on egress, maybe the reason for the continually repeated requests. Found that the PC left a chrome browser running all night with a certain page loaded (don't yet know what).The main internet traffic being generated from that PC during the timeframe was to google - "safebrowsing", "tools", "client2", "client4", and possibly google-analytics (one set of logs lists google-analytics as a dest, another doesn't). Ken

2 Posts

Maybe relevant. Or irrelevant, if this is common knowledge.

looking at my snort log, I see a DNS query for that resolved to that IP. Alex

2 Posts
I'm seeing some traffic for this IP correspond with DNS lookups by affected clients for right before I see the traffic.

Though, I am not able to get that to resolve to And, not all clients resolving hit that ip:

Netflow data:

2015-04-29 08:26:58.557 0.000 UDP -> 0 28 1

named query log:

Apr 29 08:26:58.416 queries: info: client query: IN A

However, for the three relatively quiet machines that hit, I did see the same pattern. For other machines that made tens of DNS requests before the STUN action, I did not see a lookup.

It may be coincidental.

6 Posts
I think this might relate to

The STUN traffic we've seen to and from this address has followed a DNS query for We've seen HTTP traffic to with a referrer of

Dunno if ninjapd is one of those silly STUN-based CDNs? Maybe el-nacional uses it?

2 Posts
Following the virustotal information on the doamins using the IP address, most look like they are tied to White Ops, Dan Kaminsky. Maybe someone should reach out and ask the company? Dean

135 Posts
Bro logs show this:
2015-04-28T05:54:59+0000 CfVsQw3rflYsiWQAM8 50145 3478 udp - 10.167921 120 600 SF F 0 Dd 6 288 6 768 (empty)
2015-04-28T05:56:57+0000 Cup1oA2osUBmkMvqpd 62884 3478 udp - 10.454747 200 1000 SF F 0 Dd 10 480 10 1280 (empty)
2015-04-28T05:57:55+0000 CR8Jt231gHyuGtWqKf 52946 3478 udp - 10.163208 80 400 SF F 0 Dd 4 192 4 512 (empty)
2015-04-28T05:54:58+0000 CWGR471miSRB5VJ0V3 49161 53 udp 17834 1 C_INTERNET 1 A 0 NOERROR F F T T 0 30.000000 F
2015-04-28T05:54:58+0000 CWGR471miSRB5VJ0V3 49161 53 udp 17834 1 C_INTERNET 1 A 0 NOERROR F F T T 0 30.000000 F
2015-04-28T05:56:57+0000 CY1D0h2uCP0Zb5bqMi 63197 53 udp 13491 1 C_INTERNET 1 A 0 NOERROR F F T T 0 30.000000 F
2015-04-28T05:56:57+0000 CY1D0h2uCP0Zb5bqMi 63197 53 udp 13491 1 C_INTERNET 1 A 0 NOERROR F F T T 0 30.000000 F

35 Posts
James has, I've got Both say "ph" :) Alec

2 Posts
What I've seen related to Port 2378 and

Apr 25 18:58:05 DROPPED SRC= DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=53084 DPT=3478 LEN=37
Apr 26 15:22:27 DROPPED SRC= DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=38022 DPT=3478 LEN=37
Apr 28 01:30:25 DROPPED SRC= DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=23684 DF PROTO=UDP SPT=47792 DPT=3478 LEN=37
Apr 28 22:03:04 DROPPED SRC= DST=x.x.x.x LEN=57 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=44319 DPT=3478 LEN=37

2015-04-28 11:00:30.006468 IP > 14188+ A? (31)
2015-04-28 11:00:30.069540 IP > 14188 1/4/4 A (248)
2015-04-28 23:26:08.556839 IP > 28978% [1au] A? (43)
2015-04-28 23:26:08.614990 IP > 41772 1/4/4 A (249)
2015-04-28 23:33:20.849228 IP > 21453% [1au] A? (43)
2015-04-28 23:33:20.905461 IP > 21453*- 1/4/1 A (196)
2015-04-28 23:50:59.964778 IP > 36648% [1au] A? (43)
2015-04-28 23:51:00.022528 IP > 36648*- 1/4/1 A (196)
2015-04-29 01:17:10.575201 IP > 29998% [1au] A? (43)
2015-04-29 01:17:10.617812 IP > 29998*- 1/4/1 A (196)
2015-04-29 01:21:21.265737 IP > 18355% [1au] A? (43)
2015-04-29 01:21:21.309069 IP > 18355*- 1/4/1 A (196)
2015-04-29 01:36:00.896863 IP > 54106*- 1/4/1 A (196)
2015-04-29 01:36:00.898175 IP > 41333 1/4/4 A (249)
2015-04-29 01:57:39.175297 IP > 20955% [1au] A? (43)
2015-04-29 01:57:39.233333 IP > 20955*- 1/4/1 A (196)
2015-04-29 03:26:05.632754 IP > 8508% [1au] A? (43)
2015-04-29 03:26:05.708425 IP > 8508*- 1/4/1 A (196)
2015-04-29 04:26:43.319681 IP > 9447% [1au] A? (43)
2015-04-29 04:26:43.377539 IP > 9447*- 1/4/1 A (196)


5 Posts
We have been seeing the same thing over the last week, ever increasing requests for 3478 (STUN) to We are also seeing DNS requests for the same domain. We have packet captures which include a software designation of "Coturn- 'Ardee West' which indicates they are using this software:

You can see the pcap details at

Also, donning my tinfoil, does ph = "Phone Home?"

7 Posts
With the information others have supplied here, I can confirm that I am seeing DNS requests on all machines exhibiting this traffic.

The was a fluke in that for three users, the dns resolution occurred very, very close to the observed traffic. But it was not happening on all machines.

All machines here are showing the

We are also seeing packets with the same coturn string in them.

6 Posts
We have seen these DNS results for the IP:
First seen Feb 10

1 Posts

6 Posts
I see an HTTP connection to just before the STUN UDP attempts.


Sign Up for Free or Log In to start participating in the conversation!