Weaponizing CoAP For DDoS Attacks
In his latest article Security Researcher Francseco Cipollone covers a little history of DoS and DDoS attacks and explains how the IoT CoAP protocol can be weaponized for DDoS attacks.
In recent years we saw the raise of DDoS attacks (an example of top 5 visible attacks) over the web and some of the recent attacks has leverage the IoT (some reference to the correro article). In this article i’m going to cover some history on DoS and DDoS as well as the new IoT lightweight protocol for IoT and how it can be weaponized to generate a new stream of IoT DDoS attacks.
DoS and DDoS a bit of history
DDoS is a variation of DoS attack and means Distributed Denial of Service. The DoS attack implies a device sending a number of request, legitimate or not, to a target endpoint. The Distributed version of the DoS attack scales the attack across a number of source. The attack is particularly devastating as sometimes can’t be distinguished from a peak of legitimate requests. For more details refer to this wikipedia article on DoS and different kinds of DoS attack.
CoAP - A Bit Of History
The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things.
The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation. For more detail refer to RFC 7252. The CoAP was designed as a machine-to-machine (M2M) protocol, that can run on small and smart devices. Those devices generally have limited resources.
IoT - A Bit Of History
Internet of Thing term refer to a stream of technology that embeds communication capabilities to small objects. From the interesting article:
Internet of Things = “Sensors and actuators embedded in physical objects are linked through wired and wireless networks, often using the same Internet Protocol (IP) that connects the Internet.“
Iot Hype (all rights reserved to gartner)
To go in simplistic term IoT has been applied to all thing connected. The technology has gone through a hype period (refer to gartner article) and slowly found its applications...
Abuse Of The Protocol
Why is CoAP going to be abused? Because is new, because is lightweight and because has not been fully tested. This aside CoAP works similarly to HTTP but instead of the traditional TCP protocol it uses UDP...this means that packets don’t need to get acknowledged … easy target for DoS and DDoS.
Like HTTP CoAP is used to transfer data but using UDP instead. Like HTTP it supports commands (e.g. POST, Connect, Get etc…).
CoAP also supports multicast and command transmission but because it utilizes UDP it does not require to maintain session table and hence is not so resource intensive.
For this specific reason is a very nice protocol for small and resource scarce devices like IoT, e.g why a pencil connected over the web would need to have a TCP connection table...and why a pencil would need to be connected (this discussion is undoubtedly outside the scope of this article).
CoAP is prone to the same kind of vulnerability as other UDP-based protocols:
The two above enable the reflection and amplification of DDoS attacks.
Considering the recent attack leveraging IoT devices having a protocol that enable to send UDP packets (CoAP) with an amplification factor from 10 to 50x can be a scary thought. Depending on the initial packet size this could lead in devastating effects
An attacker will be able, inside CoAP, to replace the source IP (also known as sender IP) as the protocol is vulnerable to IP spoofing. Moreover because the client does not authenticate or require confirmation (as with TCP) an attacker is even more stimulated in sending packet with bogus Ip address...eventually they will just end up reflecting and generating even more traffic (as said before reflection factor 10-50x).
CoAP had very good intention (low resource, lightweight)...but attacker have the bad tendency to find malicious elements in all good intention.
Of recent CoAP added security feature as described here: section 10 of RFC and further research. There was some additional research as pointed out from Cloudflare blog post last year, but the consequence adding security measures to a lightweight protocol comes at a resource cost and it's not lightweight anymore.
So this article will leave you with the question of lightweight and potentially insecure or medium weight and medium security. Also the question would you like your toaster and your camera to start a DDoS storm and bringing your home network to a grind? If you want to have some more information or get help on your cybersecurity strategy get in contact please drop me a note on LinkedIn, Twitter @Franksec42 or to my e-mail Francesco.cipollone (at) Nsc42.co.uk.
And yes i will be shamelessly asking you to follow NSC42 and our blog.