Patch for abuse of 401 Unathorized responses

[Lisa Maginnis]

Hello everyone!

We've been seeing abuse of our Coturn servers via spoofed UDP packets allowing an actor to reflect and moderately amplify their traffic to a desired target.

To remedy this I've written a patch to allow for 401 responses to be relate-limited over a window of time (for example: 100 requests that result in a 401 response in 60 seconds). After the window has expired, 401 responses can be sent again.

This patch is meant to mitigate abuse to Coturn servers, more details can be found in the pull request here: https://github.com/coturn/coturn/pull/1588

I think it is also worth mentioning potential 401 Response based abuse found in the wild:

Tickets reporting bulk 401 responses in their logs:

- https://github.com/coturn/coturn/issues/1470
- https://github.com/coturn/coturn/issues/603
- https://github.com/coturn/coturn/issues/626#issuecomment-1227819805
- https://github.com/coturn/coturn/issues/737 # Not 401 in this case, but would be if authentication was required
- https://github.com/coturn/coturn/issues/728 # Related to spoofing/traffic generation

Reports of potential 401 response based reflection attacks in the wild:

- https://help.nextcloud.com/t/prevent-reflection-abuse-against-coturn/148699
- https://groups.google.com/g/kurento/c/II0O0g8VplE?pli=1

Related issue:

- https://github.com/coturn/coturn/issues/871

Any feedback is appreciated,

~Lisa Marie Maginnis