What is CoAP and is it the next DDoS

Updated: Jun 18, 2019

Intro:

In recent years we saw the rise of DDoS attacks (an example of top 5 visible attacks) over the web, and some of the recent attacks have leveraged the IoT (some reference to the correro article).

In this article, I’m going to cover some history on DoS and DDoS as well as the new IoT lightweight protocol for IoT and how it can be weaponised to generate a new stream of IoT DDoS attacks.

DoS and DDoS a bit of history

DDoS is a variation of DoS attack and means Distributed Denial of service. The DoS attack implies a device is sending some requests, legitimate or not, to a target endpoint. The Distributed version of the DoS attack scales the attack across a number of the source. The attack is particularly devastating as sometimes can’t be distinguished from a peak of legitimate requests. For more details refer to the Wikipedia article on DoS.

CoAP a bit of history

The Constrained Application Protocol (CoAP) is a specialised web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things. The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation.

For more detail refer to RFC 7252. The CoAP i designed as a machine-to-machine (M2M) protocol, that can run on small and smart devices. Those devices generally have limited resources.

IoT and a bit of history

Internet of Thing term refers to a stream of technology that embeds communication capabilities to small objects. From the interesting article:

Internet of Things = “Sensors and actuators embedded in physical objects are linked through wired and wireless networks, often using the same Internet Protocol (IP) that connects the Internet.“

To go in simple term, IoT has name has been used for all thing connected. The technology has gone through a hype period (refer to Gartner article) and slowly found its applications.

Abuse of the protocol

Why is CoAP going to be abused? Because it is new, because it is lightweight and because it has not been completely security tested.

Aside from the possible security vulnerabilities, CoAP works similarly to HTTP but instead of the traditional TCP protocol it uses UDP…this means that packets don’t need to get acknowledged … easy target for DoS and DDoS.

Like HTTP CoAP is used to transfer data but using UDP instead. Like HTTP it supports commands (e.g. POST, Connect, Get etc…).

CoAP also supports multicast and command transmission but because it utilises UDP it does not require to maintain session table and hence is not so resource intensive.

For this specific reason is a very nitche protocol for small and resource-scarce devices like IoT, e.g. why a pencil connected over the web would need to have a TCP connection table…and why a pen would need to be connected (this discussion is undoubtedly outside the scope of this article).

CoAP is prone to the same kind of vulnerability as other UDP-based protocols:

IP Address Spoofing Packet amplification

The two above enable the reflection and amplification of DDoS attacks.

Considering the recent attack leveraging IoT devices having a protocol that enable to send UDP packets (CoAP) with an amplification factor from 10 to 50x can be a scary thought. Depending on the initial packet size this could lead to devastating effects

An attacker will be able, inside CoAP, to replace the source IP (also known as sender IP) as the protocol is vulnerable to IP spoofing. Moreover, because the client does not authenticate or require confirmation (as with TCP) an attacker is even more stimulated in sending the packet with bogus Ip address…eventually, they will end up reflecting and generating even more traffic (as said before reflection factor 10–50x).

Conclusions:

CoAP had excellent intention (low resource, lightweight)…but the attackers have the terrible tendency to find malicious elements in all good purpose.

Of recent CoAP added security feature as described here: section 10 of RFC and further research.

There was some additional research as pointed out from Cloudflare blog post last year,

But the consequence adding security measures to a lightweight protocol comes at a resource cost, and well it does not make it lightweight anymore.

So this article will leave you with the question of lightweight and potentially insecure or medium weight and medium security.

Also, the question would you like your toaster and your camera to start a DDoS storm and bringing your home network to a grind?

If you want to have some more information or get help on your cybersecurity strategy to get in contact, please drop me a note on LinkedIn, Twitter @Franksec42 or to my e-mail Francesco.cipollone (at) Nsc42.co.uk.

And yes I will be shamelessly asking you to foll.ow NSC42 and our blog.