IETF Logo Mail Archive

Re: [T2TRG] [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt

John Mattsson <john.mattsson@ericsson.com> Wed, 09 February 2022 13:29 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E853A0828 for <t2trg@ietfa.amsl.com>; Wed, 9 Feb 2022 05:29:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.675
X-Spam-Level:
X-Spam-Status: No, score=-2.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNrpviAYEpXJ for <t2trg@ietfa.amsl.com>; Wed, 9 Feb 2022 05:29:11 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02on062e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe07::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646423A0819 for <t2trg@irtf.org>; Wed, 9 Feb 2022 05:29:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WDoSB1uSmJ1ctAf7nlAx8MVm43Fs4DIQmNiWwAU84bTjUpc2zdf2Ga+BBO25Mkuck7IC2JsqgVJs5a4o5dpmwqWNuO6qLwY3Ka8OCpAm5l+gyO754Be1IuJd65lnWesWNSxvam4vbYGwqXvYe6n8OP+LZR+Lmwri/ki7B7TQ4MDADL+CDOMbGIL+I/PkhbOEbmYdHCIwenKdXawu5GO8IC47e9Pe2477e0b5gjBDMaJa1vST8hzoKQf/4aepGRImUQbqTaihunXU/jU8G+CKYReJQLXfw6UyDJp+/vNXmshw0u+TRd6XWqntBXH6QVk8v3BB7ITveoylYYiVokRyig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NagJLMijnxD512qrtBG7/Dqhw3XZZyLIJxV69bq2oHQ=; b=fErsGUTyDvKC4YRzzkGsGubhV/9FkUh5IbsfACuaiOMi8lvAdecmhOmTm5V7i6d5p7Rkki68MoPb3fzjn26aL/SNjv5leFaFnIC6VBhi4heMCQ4PbEpRGmmDz8D9AofDcZhO/MdLbiAJ/V9/6mIU1QyyBpSkEyZijf7M1PG/8MsfLdHyMYE6FIubqDbXYTjE6yYMCt56jOF4zi+KwHhpBIR42RCsDonU0ZaEN6WBjakeFhEwoB03Q5L77hJPU6cSIUeQd7ADCR0iWSQuDT+FAakxN4/gbiVNlQarDixbD0XY5Brt2kZKmnfL01hPjUpDh6aKF+vuSzlngEEK9j6+PQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NagJLMijnxD512qrtBG7/Dqhw3XZZyLIJxV69bq2oHQ=; b=LTRsUpxX9CO9HS3mQx0RCosDcsux6He20FkJEQpnqXPYvWiGWBRSjepzLrbzoBTEi91DlqbmR442icUbafs2YrudLy42PJ+XPJsdnmsHsoMuE97pEvU1YZRzfJ94Kain9S96PVjPGjUZxNcJKOfYZ6tqgln0C4vcFhDDM3THgeQ=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DB9PR07MB7129.eurprd07.prod.outlook.com (2603:10a6:10:1fa::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4975.10; Wed, 9 Feb 2022 13:29:03 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c%7]) with mapi id 15.20.4975.011; Wed, 9 Feb 2022 13:29:03 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Achim Kraus <achimkraus@gmx.net>, Carsten Bormann <cabo@tzi.org>
CC: "t2trg@irtf.org" <t2trg@irtf.org>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt
Thread-Index: AQHYF0n1JcPl+afQf0+0QyaIhsj8LKx+azISgAHQe4CAABjvRIAABQ6AgAAkrDOAAA5ggIAKtjpQ
Date: Wed, 09 Feb 2022 13:29:03 +0000
Message-ID: <HE1PR0701MB30503EC598B053F7B529C54D892E9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <164370592991.14136.4943780498822971831@ietfa.amsl.com> <HE1PR0701MB30500AA57A7DD6F3170BB60F89269@HE1PR0701MB3050.eurprd07.prod.outlook.com> <5AFB6C76-9C15-4050-B478-711832318342@tzi.org> <HE1PR0701MB3050F758474CC029B932112F89279@HE1PR0701MB3050.eurprd07.prod.outlook.com> <9F1343E2-B330-4ED8-8ECB-591A013A51EF@tzi.org> <HE1PR0701MB3050423B37F408F2C9F8B98689279@HE1PR0701MB3050.eurprd07.prod.outlook.com> <bd50b93f-4ecf-f367-0de9-eb49b90c0c15@gmx.net>
In-Reply-To: <bd50b93f-4ecf-f367-0de9-eb49b90c0c15@gmx.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dcc28908-6513-4097-8f5f-08d9ebd023e7
x-ms-traffictypediagnostic: DB9PR07MB7129:EE_
x-microsoft-antispam-prvs: <DB9PR07MB7129E3624C9B68E70B68E382892E9@DB9PR07MB7129.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hNV1vUo69MTxX1KLqDGtbuK/MHdE8mzF7CpRIZWEznKBF1mTABGwaYCv4LhTJnPWslLDRIyJylrBe8kVNNzsbl5QwuF7HebLxHKYBpcQeTF9srsBtG/bZEMX72pjVHFos/o729Wvc7MNqG7h/ev5W6KPXzl4HdH6jx5arNOzcFUQH/3dyd/4EASbJDo1OtsrRXrhHyCdBBUn0gxgI7Zj0amoeG7/PnYGZ/e6MOidl/79Yx1BtC9pGy4D9Rx9S25YdOhHh2z4u3ymeJVAmtINygiPuUR3uDXe+TC2ilCZy6NHAcz9BdwC1rExMQA7cJho7BH11LtMEb1ix5AKtH3eteqgv1mNAgNKCaTVMNhTUPTc8PdgFgiRRkHIFoJMGCT3TyxE8oobZPPNTpBjVtW1vSBDG7GR6yq8pZ7b8DCrBf/JF72xl/7nt0Hx30gIbEuK4keNBv7HzS0m26pgnq9MwwyoN9/X1ZyM3kemAu6QRDh1ap1LwWF0IKOLLW+s2LxXdG8goCnqSu8dfUNlE3cORCg9nJoHh0JkF02cKfJfMVKYUoRu9I49G3Fw+QmhfRR34imvdSrl1uDLCJNlGkvQ3SWR+PfN9Bvj/ToMGsHBjo97oJR/NogpGyU5e/q4X+pbVnX478k5eC6GW4B0Opf1yJ7Tmz8Ndnr5O0oxBjfCaAi7DzwnbTxYf7e8z1OLYzEO//EcJ+Pk/F07cnOqQ6r29zT0Wi6mqvi/M7foetKLKSPXNPbLsROLEkaoIzsCh+8LNrUaIKU7riNNRoL2vHHxhoNaGemoSgP3ar1Yw8K4yuu0j4DErmsROSRH+0D7bgrquJkYVz8LePohW0Fn/E1R4w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(8676002)(122000001)(2906002)(66574015)(76116006)(66946007)(66446008)(66556008)(66476007)(91956017)(64756008)(33656002)(71200400001)(8936002)(44832011)(52536014)(38070700005)(83380400001)(186003)(15650500001)(508600001)(82960400001)(26005)(166002)(38100700002)(4326008)(6506007)(7696005)(53546011)(55016003)(86362001)(9686003)(966005)(316002)(110136005)(54906003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gaRnFZFySOO7+onmFFqcuKlGEosbOloxX8SGDP0ILuPlCNOH3V6fi18qGLddo9pmVA2jWbq0EeB0T/TLIW5DrWtO0cRA+NhP0RtcamNMSw8X4farq1zQk8O5EVmyEudQ/UjC7aRsDodZ6IanXB/szYYURYx+ABcTIXAjkcD7w33BUgqTLi6v//TG9XM2SVmtysG1B1iU1qoTLU7Onw9DSgrEemErG/z6YN7dvCZFArg4gZc9CRpHv42auS4DumrfKsm/VJU6fX36KLbqO2OE9SBdIVlH1KhbxLW8AN1KRIU2BmG7yQt9D+du6HnT4BuaP0KaYIfEKKElp3PwOx27QMA5/7xBu37z1dmUQ0rVWO0gD5HrucksK5Mh5tNH9wKrPT5HqjpOyMoDyOHL1j4rcbfQvZthZ3gsXLj5IskuO/79JDo1elNWfFEwNZiVfXA73XqQCOE4IgcdrjDwYeoFajsk+N301D9wxJQs1aK31zBL9CRtCQbltkatVZLcEvZAK/bA1/u/3pgaJ2wHmeiwyGfWS/Ln/5Q4o+7IBwb4+TmEkgTYMqpbQjGivzKBIDlk0fu+8SnKepGjkr8TqOTGejMeh7JWgd4UFBD6yLHjHWcXICE7nfhQPN4eBQVdiuKJTabASM4UQQJaya/6+RcX1KzyjDEkHFz6Y0ADFgYnsPJ6RZYtStdPeBbRQLgsL/2axwjq+UCqhmK5BS9S+rdwoFDhEgVrL+48ImfAR2n57xq9yoDkiFf9nC7vLfPzp95Hh4I2+F+JNfuPiJDagi6Y5akevUjJsS/i8TJ84WakosKRumjwR/Y7ixw6JONekfBa5fat6ubNe64eyP/L5kMxbJPrldiIsCFqdAwWWfQ0cdC4VhS8DTMW4ibVFsis7XtATvujD4nIIuId49PgqTolgNEia3GoLbNoE0cb1jsaZCaVhPSPDsV+QBvapEa5TrVg9j4W+Xe1MnAg8tfygcunoyCfTMAzjIuzq+2fId6Z4pdfG0Xme0Ubj60Yk4MGZn8tn1TATlYihQ0E+QWOYc3JM/cM6gb8maX/LMTBKOC9tzqevWVD6Nhc2PAeO6HX8EsgrFL3CvPA3NZlLgUZu0382IeGGmzreDC5zhS0l0HTfKtVS4AIZlmUWb4+9j5KzRDVOnAq0sH1VMMbplAbKGzYVLaIA41Yk+4yQSp4nGSGP5pMLYdgqWnuYEYvh8mRtZrEEu2n6oa61PVf4b9S/Ykco2gP8Nqfi6RTFwFTksLsDWDEkV1+USoleCyqgK7qwfa/5IMDfjh1XLtns2UngG+5B54qCNPKSA/e78nZY/d/rK4Wm5VsBELB8f9mnecGZQj/elodsdzkHcTLG5A77dKnUO/r6g4c5nOSVrhHYAW/luC7JgNIDNYlEH4T27Dq2BPZVnmgU4vLRUNu/d2M0THhxHkOg6FbJSGw5KY7Xc+X9QtP6Arr/oHF6PTStU1NAIpgH5q24QvgYVtyzpXdVl56RzHKkQ+s6xqYhPQZD3kR52tNELZ8CKmBln/VAPCh7ZubawoMR3cb/ZSE8Rvtu26u7tDl1gVmseu/yhS5DoRjm7Si70FVvARqluth1bXk0CFiwSdxVuGpbYcL3meykE3QqutpmDbt+F/tnyZErQ3rjNCT9AxRCP3P5EBkATIzMoqjeRjqzBmI8MfMR2x/EnpeBE7lB0fzxfY+ymCZ5xl1l18=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30503EC598B053F7B529C54D892E9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dcc28908-6513-4097-8f5f-08d9ebd023e7
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2022 13:29:03.6645 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OKA9STlZDNfBRbUV0b2sCQWfDmak0rqQ5ZH25vgu1ch2Re1d3wwhLzW9hdTMxR281OkXIlfQV+bah9eje87V38IVZsDiAwRNO904x1SWNw8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7129
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/LahalC0Re0fNRnKfLlwklU5h5oU>
Subject: Re: [T2TRG] [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IRTF Thing-to-Thing Research Group <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2022 13:29:17 -0000

Achim Kraus wrote:
>Is there any newer or more concrete information about that then
>https://www.netscout.com/blog/asert/coap-attacks-wild ?

I know that Achim already saw this info on Github, but It might be interesting for the rest of the list as well.

Looking for newer information on CoAP amplification attacks I found a report from Radware. One of their figures show that CoAP was behind a significant part (around 15% maybe) of global DDoS attacks in Q4 2020 and Q1 2021, but not at all in Q2 and Q3 of 2021.
https://www.radware.com/2021q3-ddos-report/

Seems unclear how the attacks was done, why they stopped, and if CoAP DDoS are likely to come back.

Cheers,
John

From: Achim Kraus <achimkraus@gmx.net>
Date: Wednesday, 2 February 2022 at 18:52
To: Carsten Bormann <cabo@tzi.org>, John Mattsson <john.mattsson@ericsson.com>
Cc: t2trg@irtf.org <t2trg@irtf.org>, core@ietf.org <core@ietf.org>
Subject: Re: [core] New Version Notification for draft-mattsson-core-coap-attacks-02.txt
Hi John,
Hi Carsten,
Hi List,

about the amplification attacks:

Is there any newer or more concrete information about that then
https://www.netscout.com/blog/asert/coap-attacks-wild ?

(My impression is, that others mainly refer to the same.
You may check my list on
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-f151667455ba3294&q=1&e=ba594369-81be-478d-ad1c-c54a4aece9d1&u=https%3A%2F%2Fgithub.com%2Feclipse%2Fcalifornium%2Fwiki%2FLinks-to-CoAP-or-DTLS-1.2-research-information%23security---dtls--coap
).

I'm not sure, if there is a common, realistic understanding of the
"nature" of such an attack. At least I have much more questions than
answers. E.g. is amplification only relevant above some threshold?
Means, if a request with 80 bytes is used and the response has 160, is
that relevant? Or must the response be above 400 bytes in order to get
relevant? So, in theory there may be a lot of rules, but I'm afraid,
that these rules stay theoretical, complicated, and maybe practically wrong.

best regards
Achim Kraus

P.S.:
The number of unencrypted coap devices is currently declining.
It's now about 270.000 to 330.000. My own scan showed
an average response size of 338 bytes, and a median of 143 bytes.

https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-6ff451ba6e3cd1ef&q=1&e=ba594369-81be-478d-ad1c-c54a4aece9d1&u=https%3A%2F%2Fgithub.com%2Feclipse%2Fcalifornium%2Fwiki%2FLinks-to-CoAP-or-DTLS-1.2-research-information%23research-sites---current-scans

Am 02.02.22 um 18:03 schrieb John Mattsson:
> Conclusion (at least my understanding) from todays interim:
>
>     Split the current document in two different documents:
>
> 1. Attacks on CoAP
>
> 2. Attacks using CoAP (aplification attacks)
>
> CORE will have an adoption call on the first document.
>
> We will discuss where to work on the second part.
>
> Carsten suggested to work on amplification attacks purely in T2TRG. I
> think I would be ok with that approach as long as we have a plan for
> what to do in the mean time. I think all future IETF document (not only
> IoT and not only CoAP) need to have much stricter requirements on
> denial-of-service mitigation.If IETF does not have a good DoS hygiene,
> likely nobody else will.
>
> As a security person, I would like to start with hard requirements like
> QUIC and then soften the requirements when we have more knowledge, but I
> agree that this is problematic for constrained IoT and not optimal at
> all. But DoS mitigation do cost, and devices need to take that cost. The
> alternative is that somebody else (services and infrastructure) has to
> take the cost, which is unacceptable.
>
> *From: *Carsten Bormann <cabo@tzi.org>
> *Date: *Wednesday, 2 February 2022 at 15:49
> *To: *John Mattsson <john.mattsson@ericsson.com>
> *Cc: *core@ietf.org <core@ietf.org>, t2trg@irtf.org <t2trg@irtf.org>
> *Subject: *Re: [core] New Version Notification for
> draft-mattsson-core-coap-attacks-02.txt
>
> On 2022-02-02, at 15:43, John Mattsson <john.mattsson@ericsson.com> wrote:
>>
>> Publish
>
> I think we need to discuss what this means.
>
> In order of effort/time needed:
>
> 1 Publishing as a BCP >
> 2 Publishing as a (WG consensus) informational RFC >
> 3 Publishing as an (RG consensus) informational RFC >
> 4 Publishing as an (RG-sponsored) informational RFC >
> 5 Publishing as an Internet-Draft
>
> We already have (5); this could be improved by separating the DoS part
> (attacking using CoAP) from the attacking CoAP part.
> Further improved by adopting (in RG or WG, depending on next step).
>
> Obviously, we also want to move forward on the attacking CoAP part.
> Similar considerations apply, but I think these should be run separately.
>
> Grüße, Carsten
>
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core

v2.23.0 | Report a Bug | By Email