CoAP Attacks In The Wild
Attackers have recently begun launching CoAP reflection/amplification DDoS attacks, a protocol primarily used today by mobile phones in China, but expected to grow with the explosion of Internet of Things (IoT) devices. As with any reflection/amplification attack, attackers begin by scanning for abusable addresses, then launch a flood of packets spoofed with the source address of their target. Using our honeypot collection, ASERT has been tracking low-levels of scanning, but only recently have observed a series of attacks utilizing CoAP. Attackers’ knowledge of the protocol is very basic but has the potential to become more sophisticated as they experiment with attacks.
NOTE: NETSCOUT Sightline/TMS and APS/AED can detect, classify, traceback, and block CoAP-based reflection/amplification DDoS attacks
- Scanning activity has remained relatively constant, but January 2019 saw an increase in the number of DDoS attacks utilizing CoAP.
- The average amplification factor for CoAP is 34, in the midrange for UDP protocols commonly abused for reflection/amplification.
- The vast majority of internet-accessible CoAP devices are located in China and utilize a mobile peer-to-peer network.
- CoAP devices are transient by nature, over 80% changed addresses within two weeks. This can dampen the abusability of the exposed devices, since attackers have to continually rescan to establish IP addresses to use in attacks.
The Constrained Application Protocol, known as CoAP, is a simple UDP protocol that is intended for low-power computers on unreliable networks, like Internet of Things (IoT) or mobile devices. At its simplest the protocol looks like HTTP with familiar verbs like GET and PUT. Unlike HTTP, CoAP is a binary format that operates over UDP port 5683. A GET request for the URI /.well-known/core is shown below. This well-known URI is intended for devices to publish their capabilities.
Fig 1: CoAP GET /.well-known/core
The risk of abuse for UDP protocols is apparent. A threat actor can build a list of IPs that respond to CoAP, and continually send a flood of packets with a spoofed source address of the intended target.
Since beginning to monitor CoAP activity, there has been a steady stream of scans for UDP port 5683, almost all GET requests for /.well-known/core. Some scans are obviously from security researchers, others not.
Fig 2: CoAP scan activity
Beginning in the middle of January 2019, we began to see DDoS attacks leveraging CoAP. The targets were geographically and logically well distributed, with little commonality between them. An average attack lasts just over 90 seconds with about 100 packets-per-second generated by the attacker.
Fig 3: CoAP attack activity
To better understand the population of potential CoAP reflectors, we performed internet-wide reconnaissance. Our methodology reflects the activity we observed – issuing a GET request for /.well-known/core and recording the results.
At the time of our scan there were 388,344 CoAP devices on the internet, disregarding the 3.5% of the responses that were a different protocol or garbage data. With a 21 byte GET request the average response was 720 bytes, meaning our amplification factor is 34. This is about middle of the pack when compared to other UDP protocols.
Fig 4: Map of CoAP devices
81% of CoAP devices are located in China, dwarfing the next largest populations in Brazil, Morocco, South Korea, and the United States. Of the 315,594 CoAP devices in China, all but 382 responded to a request for /.well-known/core with a QLC Chain (formerly known as Qlink) response.
Fig 5: QLC Chain response
QLC Chain is a peer-to-peer network that advertises itself as a “Next Generation Public Chain for Decentralized Network-as-a-Service”.
An interesting aspect of a protocol primarily used by transient devices is their IP address will change often. Comparing scans performed two weeks apart, only 20% of the addresses appear in both scans. Compared to SSDP which boasts a similar amplification factor, the transient nature of CoAP devices means attackers have to constantly scan for abusable addresses in order to be effective.
There are about 12 times as many SSDP devices accessible on the internet compared to CoAP, and SSDP devices don’t move around the network as often as CoAP devices. Despite this hurdle, attackers have chosen to add the CoAP reflection/amplification DDoS vector to their arsenal. The bandwidth ultimately consumed by these attacks will vary based on technique and the freshness of the attackers’ victim list. With the vast majority of CoAP devices being located in China and running QLC Chain, it appears that the currently-abusable CoAP reflectors/amplifiers are part of a limited-scope software monoculture that will likely change as CoAP grows in popularity. The initial wave of attacks utilizes well known behavior of the protocol but there are other features, perhaps not as widely implemented, that could make CoAP even more effective. We expect attackers to continue to advance the state of the art, while we continue to observe and counter their DDoS attack techniques.