Skip to content
PortsDB

Port reference

Port 3478 (UDP/TCP) – STUN / TURN

STUN/TURN — NAT traversal for WebRTC and VoIP; STUN discovers public addresses, TURN relays media.

udptcpRegisteredCommonly attacked

Default state

Open on STUN/TURN servers (coturn, WebRTC, VoIP) facilitating peer connectivity, sometimes as an unauthenticated open relay.

Common attacks

  • Open-relay abuse to proxy or anonymize traffic
  • UDP reflection/amplification DDoS via STUN responses
  • Credential brute force against TURN long-term auth
  • Internal network probing through misconfigured TURN

Hardening

  • Require authentication on TURN (long-term credentials)
  • Disable open relaying and restrict relay peer ranges
  • Rate-limit and filter to curb amplification abuse
  • Block TURN relays to internal/private IP ranges
  • Keep coturn patched and prefer TURN over TLS (5349)

nmap snippet

nmap -sU -p3478 --script stun-info,stun-version <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 3478?

Port 3478 is the default for STUN and TURN, the NAT-traversal protocols behind WebRTC and VoIP. STUN lets a peer discover its public IP and port so two endpoints can connect directly; when that fails (symmetric NAT, restrictive firewalls), TURN relays the media through the server. Implementations like coturn serve real-time audio, video, and data channels.

Why it matters for security

TURN is, by design, a relay. If it accepts connections without authentication, it becomes an open relay that attackers use to proxy or anonymize traffic and, through misconfiguration, to reach internal networks. STUN's request/response asymmetry also makes 3478 a reflection/amplification vector: a spoofed-source request causes the server to send larger responses at a DDoS victim.

How it's attacked

Attackers find open TURN servers and relay traffic through them to mask their origin or pivot toward internal IPs. They send spoofed STUN requests to use the server for amplification DDoS, and brute force TURN long-term credentials where authentication is weak.

Hardening checklist

Require authentication on TURN with long-term credentials, disable open relaying, and restrict the peer ranges a relay may reach — explicitly block internal/private IPs. Apply rate limiting and filtering to curb amplification, keep coturn patched, and prefer TURN over TLS on 5349. Use the nmap snippet above to fingerprint STUN/TURN on servers you are authorized to test.

Related ports

Port 5349Port 19302Port 5060Port 16384

Frequently asked questions

What is the difference between STUN and TURN?
STUN helps a peer discover its public IP/port for direct connection. TURN relays the media through the server when direct connectivity fails. TURN must be authenticated to avoid open-relay abuse.
Can port 3478 be used for DDoS?
Yes. STUN binding responses can be larger than requests, so a spoofed-source request makes the server reflect amplified traffic at a victim. Rate limiting and filtering reduce this risk.