Running a self-hosted Soulmask dedicated server is rewarding — until someone discovers your STUN/TURN port and turns it into an amplification cannon aimed back at you. STUN/TURN reflection attacks are sneaky, effective, and surprisingly easy to pull off against misconfigured servers. Let’s break down how to actually stop them.
What’s Actually Happening With STUN/TURN Reflection?
STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays around NAT) live on UDP port 3478 by default. Attackers send spoofed requests to open STUN/TURN servers, and those servers dutifully blast amplified responses at the victim’s IP. Your coturn instance becomes the weapon without you knowing it.
For Soulmask servers, this matters because the game relies on UDP-based peer coordination. A badly configured coturn deployment sitting next to your game server is an open invitation for abuse.
Layer 1: iptables Ingress Filtering on UDP 3478
Your first line of defense is simple but powerful. Drop unsolicited UDP traffic on port 3478 from addresses that haven’t established a session. Here’s a practical starting point:
iptables -A INPUT -p udp --dport 3478 -m state --state NEW -m recent --set
iptables -A INPUT -p udp --dport 3478 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP
This rate-limits new connection attempts aggressively. You’re not blocking legitimate players — you’re choking the spoofed flood before it consumes bandwidth. Always test rule changes on a staging box first.
Don’t Forget Egress
Block outbound amplified responses too. If your server can’t reply to spoofed source IPs with large payloads, the attack loses its punch entirely. Egress filtering is underused and incredibly effective here.
Layer 2: Harden coturn Credential Enforcement
An open coturn relay is a gift to attackers. Lock it down hard. Enforce long-term credential authentication in your turnserver.conf — never run coturn with no-auth in production. Set strict realm values and use time-limited credentials with HMAC-SHA1 secrets.
Also restrict which IP ranges coturn will relay traffic for. Use the denied-peer-ip directive to block RFC1918 private ranges and loopback addresses. This stops coturn from being weaponized for internal network pivoting as a bonus.
Layer 3: CDN77 as an Upstream BGP Scrubbing Layer
When volumetric attacks exceed what your host’s uplink can absorb, you need upstream help fast. CDN77 offers BGP-announced DDoS scrubbing that re-routes your traffic through their network before it ever reaches your server. Legitimate packets get cleaned and forwarded; garbage gets dropped upstream.
For Soulmask servers, this means your players keep connecting even during active attacks. The scrubbing happens before your iptables rules even see the traffic, which preserves your server’s CPU for actual gameplay.
Putting It All Together
These three layers work best in combination — iptables for local rate limiting, hardened coturn credentials to remove the reflection vector, and CDN77 upstream scrubbing for volumetric resilience. Each layer covers gaps the others leave open.
If you’re unsure how to configure any of this for your specific setup, professional DDoS protection consulting is available to help you design a stack that fits your infrastructure and budget.
Already Under Attack?
Don’t wait it out hoping it stops. Open a support ticket right now and describe your situation — the faster you escalate, the faster your players get back in the game.
