[core] The CoAP protocol is the next big thing for DDoS attacks | ZDNet

Carsten Bormann <cabo@tzi.org> Thu, 06 December 2018 23:26 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AE2B130F35 for <core@ietfa.amsl.com>; Thu, 6 Dec 2018 15:26:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIFdu_eLl4jz for <core@ietfa.amsl.com>; Thu, 6 Dec 2018 15:26:27 -0800 (PST)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69851130E5A for <core@ietf.org>; Thu, 6 Dec 2018 15:26:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost2.informatik.uni-bremen.de [IPv6:2001:638:708:30c8:406a:91ff:fe74:f2b7]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id wB6NQGpa018178 for <core@ietf.org>; Fri, 7 Dec 2018 00:26:21 +0100 (CET)
Received: from [192.168.217.102] (p54A6CE66.dip0.t-ipconnect.de [84.166.206.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 439sDS35lXz1Bqf; Fri, 7 Dec 2018 00:26:16 +0100 (CET)
From: Carsten Bormann <cabo@tzi.org>
Content-Type: text/plain; charset=utf-8
X-Mao-Original-Outgoing-Id: 565831574.019737-932dbf9349cbd9383ca00cd4a894bd7d
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 7 Dec 2018 00:26:15 +0100
Message-Id: <A7F0D33E-4175-4920-830B-34ED4BED3972@tzi.org>
To: "core@ietf.org WG" <core@ietf.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Gsqtx7e3QbKr52yL0vOAM4w8vKA>
Subject: [core] The CoAP protocol is the next big thing for DDoS attacks | ZDNet
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 23:26:33 -0000

CoAP is making some waves in a not so nice way:

> https://www.zdnet.com/article/the-coap-protocol-is-the-next-big-thing-for-ddos-attacks/ <https://www.zdnet.com/article/the-coap-protocol-is-the-next-big-thing-for-ddos-attacks/>

The potential for amplification in a UDP-based protocol of course is not news.  
We wrote about that in the RFC:

https://tools.ietf.org/html/rfc7252#section-11.3

Still, the attention this is getting may be a good occasion to examine how CoAP has been implemented by the platforms that make themselves exploitable as DDoS amplifiers.

(And the amplification issue will be exploited by outlets that claim that it can be used to “remotely control IoT endpoints by leveraging security issues”, as e.g.:
https://futureiot.tech/top-iot-protocols-mqtt-coap-have-major-flaws-warns-trend-micro/
Of course, if it becomes the fashion to make CoAP servers without security available to the Internet at large, this might even be true.)

Grüße, Carsten