Methods / Amplification / STUN
AmplificationAmplificationUDPReflectionSpoofable
STUN stress test
Bounces spoofed STUN binding requests off open STUN servers so amplified replies arrive at your test target, validating reflection defenses on infrastructure you own.
How it works
STUN servers on UDP/3478 answer binding requests with responses larger than the query, so an attacker spoofing the victim's source address turns each open reflector into an amplifier pointed at the target. This method drives that reflection path against your own endpoint to measure how much amplified UDP your link and scrubbing tier absorb. It validates ingress filtering, reflection-vector rate limits, and whether your upstream recognizes and drops unsolicited STUN responses.
Parameters
rate600k ppsRequest rate driven through the reflector set
reflectorsopen resolver poolCount of open STUN servers used to bounce traffic
amp factor~2-10xApproximate response-to-request size ratio
duration10-300 sLength of the reflection test
Run it from the CLI
retro-cli
$ retro run stun --target 203.0.113.45 --duration 120
STUN FAQ
Is STUN testing legal?+
Only against infrastructure you own or are authorized to test. RETRO//STRESS requires authorized targets.
What does STUN stress?+
Bounces spoofed STUN binding requests off open STUN servers so amplified replies arrive at your test target, validating reflection defenses on infrastructure you own.
Can I combine it with other methods?+
Yes, add it as a step in a packet chain to sequence it with other protocols.