Running a self-hosted Soulmask dedicated server is rewarding \u2014 until someone discovers your STUN\/TURN port and turns it into an amplification cannon aimed back at you. STUN\/TURN reflection attacks are sneaky, effective, and surprisingly easy to pull off against misconfigured servers. Let’s break down how to actually stop them.<\/p>\n
STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays around NAT) live on UDP port 3478 by default. Attackers send spoofed requests to open STUN\/TURN servers, and those servers dutifully blast amplified responses at the victim’s IP. Your coturn instance becomes the weapon without you knowing it.<\/p>\n
For Soulmask servers, this matters because the game relies on UDP-based peer coordination. A badly configured coturn deployment sitting next to your game server is an open invitation for abuse.<\/p>\n
Your first line of defense is simple but powerful. Drop unsolicited UDP traffic on port 3478 from addresses that haven’t established a session. Here’s a practical starting point:<\/p>\n
This rate-limits new connection attempts aggressively. You’re not blocking legitimate players \u2014 you’re choking the spoofed flood before it consumes bandwidth. Always test rule changes on a staging box first.<\/p>\n Block outbound amplified responses too. If your server can’t reply to spoofed source IPs with large payloads, the attack loses its punch entirely. Egress filtering is underused and incredibly effective here.<\/p>\n An open coturn relay is a gift to attackers. Lock it down hard. Enforce long-term credential authentication in your turnserver.conf \u2014 never run coturn with Also restrict which IP ranges coturn will relay traffic for. Use the When volumetric attacks exceed what your host’s uplink can absorb, you need upstream help fast. CDN77 offers BGP-announced DDoS scrubbing that re-routes your traffic through their network before it ever reaches your server. Legitimate packets get cleaned and forwarded; garbage gets dropped upstream.<\/p>\n For Soulmask servers, this means your players keep connecting even during active attacks. The scrubbing happens before your iptables rules even see the traffic, which preserves your server’s CPU for actual gameplay.<\/p>\n These three layers work best in combination \u2014 iptables for local rate limiting, hardened coturn credentials to remove the reflection vector, and CDN77 upstream scrubbing for volumetric resilience. Each layer covers gaps the others leave open.<\/p>\n If you’re unsure how to configure any of this for your specific setup, professional DDoS protection consulting is available to help you design a stack that fits your infrastructure and budget.<\/p>\n Don’t wait it out hoping it stops. Open a support ticket right now and describe your situation \u2014 the faster you escalate, the faster your players get back in the game.<\/p>\n","protected":false},"excerpt":{"rendered":" STUN\/TURN reflection attacks can weaponize your coturn server against your own Soulmask dedicated server if left misconfigured. This guide covers iptables ingress filtering, coturn credential hardening, and CDN77 upstream BGP scrubbing to shut down amplification attacks at every layer.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[87],"tags":[495,493,491,489],"class_list":["post-150","post","type-post","status-publish","format-standard","hentry","category-game-servers","tag-cdn77-scrubbing","tag-coturn-hardening","tag-soulmask-ddos-protection","tag-stun-turn-amplification"],"views":2,"_links":{"self":[{"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/posts\/150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/comments?post=150"}],"version-history":[{"count":0,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/posts\/150\/revisions"}],"wp:attachment":[{"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/media?parent=150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/categories?post=150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/tags?post=150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}iptables -A INPUT -p udp --dport 3478 -m state --state NEW -m recent --set
iptables -A INPUT -p udp --dport 3478 -m state --state NEW -m recent --update --seconds 10 --hitcount 20 -j DROP<\/code><\/p>\nDon’t Forget Egress<\/h3>\n
Layer 2: Harden coturn Credential Enforcement<\/h2>\n
no-auth<\/code> in production. Set strict realm values and use time-limited credentials with HMAC-SHA1 secrets.<\/p>\ndenied-peer-ip<\/code> directive to block RFC1918 private ranges and loopback addresses. This stops coturn from being weaponized for internal network pivoting as a bonus.<\/p>\nLayer 3: CDN77 as an Upstream BGP Scrubbing Layer<\/h2>\n
Putting It All Together<\/h2>\n
Already Under Attack?<\/h2>\n