Tech

The CoAP protocol is the next big thing for DDoS attacks

CoAP DDoS attacks have already been detected in the wild, some clocking at 320Gbps.

Written by Catalin Cimpanu, Contributor Dec. 4, 2018 at 8:13 p.m. PT

RFC 7252, also known as the Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attacks, security researchers have told ZDNet.

If readers don't recognize the name of this protocol that's because it's new --being formally approved only recently, in 2014, and largely unused until this year.

What is CoAP?

Security

CoAP was designed as a lightweight machine-to-machine (M2M) protocol that can run on smart devices where memory and computing resources are scarce.

In a very simplistic explanation, CoAP is very similar to HTTP, but instead of working on top of TCP packets, it works on top of UDP, a lighter data transfer format created as a TCP alternative.

Just like HTTP is used to transport data and commands (GET, POST, CONNECT, etc.) between a client and a server, CoAP also allows the same multicast and command transmission features, but without needing the same amount of resources, making it ideal for today's rising wave of Internet of Things (IoT) devices.

But just like any other UDP-based protocol, CoAP is inherently susceptible to IP address spoofing and packet amplification, the two major factors that enable the amplification of a DDoS attack.

An attacker can send a small UDP packet to a CoAP client (an IoT device), and the client would respond with a much larger packet. In the world of DDoS attacks, the size of this packet response is known as an amplification factor, and for CoAP, this can range from 10 to 50, depending on the initial packet and the resulting response (and the protocol analysis you're reading).

Furthermore, because CoAP is vulnerable to IP spoofing, attackers can replace the "sender IP address" with the IP address of a victim they want to launch a DDoS attack against, and that victim would receive the blunt force of the amplified CoAP traffic.

The people who designed CoAP added security features to prevent these types of issues, but as Cloudflare pointed out in a blog post last year, if device makers implement these CoAP security features, the CoAP protocol isn't so light anymore, negating all the benefits of a lightweight protocol.

That's why most of today's CoAP implementations forgo using hardened security modes for a "NoSec" security mode that keeps the protocol light, but also vulnerable to DDoS abuse.

The rise of CoAP

But because CoAP was a new protocol, a few hundreds of vulnerable devices here and there would have never been a problem, even if all were running in NoSec modes.

Unfortunately, things started to change. According to a talk that Dennis Rand, founder of eCrimeLabs, gave at the RVAsec security conference over the summer (19:40 mark), the number of CoAP devices has exploded since November 2017.

Rand says the CoAP device count jumped from a lowly 6,500 in November 2017 to over 26,000 the next month. Things got even worse in 2018 because by May that number was at 278,000 devices, a number that today is hovering at 580,000-600,000, according to Shodan, a search engine for Internet-connected devices.

Rand suggests the reason for this explosion is CoAP's use as part of QLC Chain (formerly known as QLink), a project that aims build a decentralized blockchain-based mobile network using WiFi nodes available across China.

But this sudden rise in readily available and poorly secured CoAP clients hasn't gone unnoticed. Over the past few weeks, the first DDoS attacks carried out via CoAP have started to leave their mark.

A security researcher who deals with DDoS attacks but who couldn't share his name due to employment agreements told ZDNet that CoAP attacks have happened on an occasional basis over the past months, with increasing frequency, reaching 55Gbps on average, and with the largest one clocking at 320Gbps.

The 55Gbps average is an order of magnitude superior to the average size of a normal DDoS attack, which is 4.6Gbps, according to DDoS mitigation firm Link11.

Of the 580,000 CoAP devices currently available on Shodan today, the same researcher told ZDNet that roughly 330,000 could be (ab)used to relay and amplify DDoS attacks with an amplification factor of up to 46 times.

Of the attacks the researcher has recorded, most have targeted various online services in China, but also some MMORPGs platforms outside of mainland China.

It is unclear if CoAP has been added as an attack option to DDoS-for-hire platforms, but once this happens, such attacks will intensify even more.

Furthermore, CoAP's use in the real world has exploded this year but was mainly restricted to China. It is safe to assume that once CoAP has already become popular in China, today's main manufacturing hub, vulnerable devices will also spread to other countries as devices made in the communist state are sold overseas.

We've been warned

Just like with the case with most protocols developed with IoT in mind, the issue doesn't seem to reside in the protocol design, which includes some basic security features, but in how device makers are configuring and shipping CoAP in live devices.

Sadly, this isn't something new. Many protocols are often misconfigured, by accident or intentionally, by device makers, which often choose interoperability and ease of use over security.

But the thing that will annoy some security researchers is that some predicted this would happen even before CoAP was approved as an official Internet standard, way back in 2013.

This was a totally avoidable disaster if only countries around the world had more stringent rules about IoT devices and their security features.

On a side note --and coincidentally-- as CoAP DDoS attacks are now beginning to get noticed, Federico Maggi, a security researcher with Trend Micro, has also taken a look at CoAP's DDoS amplification capabilities, research which he's set to present at the Black Hat security conference this week in London.

The same research also looked at a fellow M2M protocol, MQTT, also known to be a mess, and in which the researcher has identified several vulnerabilities.