Syncthing’s STUN server used to have the domain of stun.syncthing.net, but that doesn’t resolve to anything anymore.
I shut it down because keeping it running wasn’t feasible under the circumstances.
Context: STUN server misuse
2 Likes
To add to what happened after; traffic kept growing and blocking didn’t help much since it’s UDP and clients keep trying. I think we were up to 200 Mbps of incoming UDP when I dropped the A record. So whatever we end up doing in the future, stun.syncthing.net is probably permanently burned as a name.
1 Like
A public STUN server with a fixed domain will always end up on lists like this. The only viable defense is to switch to a different domain from time to time.
Yeah… And I’m the first to recognise the irony/hypocrisy of on the one hand decrying non-Syncthing clients using our STUN server and on the other hand now just relying on other people’s public STUN servers…
A hardcoded auth credential might help a bit, at least as a clear official discouragement.
1 Like
STUN with authentication requires a bit of effort. This should be enough to discourage the laziest of abusers.
Showerthought: resolving the actual STUN server address via a DNS SRV record might also be an alternative. It’s three lines of code in go, but renders the server pretty much unusable for any browser WebRTC stuff
8 Likes