I understand now.
Any open service will eventually be abused by some bad actors.
Perhaps rate limiting per IP can help? But then the lookups needed to enforce this rate limiting will add a new load to the server, I reckon, even if such a program was done “lazily” to scan through the logs and ban misusers based on their stats (not in real-time as the connection is done).
Not really, this is more a question of someone with millions or tens of millions of users who need STUN pointing them at our server. Each user is indistinguishable from the next and don’t add much traffic by themselves, there’s just suddenly a lot of them.
STUN as a protocol is quite simple and doesn’t offer much for authentication, and the authentication stuff that’s there would be (for our purposes) more of a simple obfuscation since any keys and credentials need to be public.