DDoS attackers have a powerful new weapon: the CoAP protocol

Constrained Application Protocol (CoAP), a protocol designed primarily for IoT devices, is increasingly becoming a target for abuse. CoAP is now being used by cybercriminals to execute large-scale DDoS attacks, according to security researchers.

CoAP, formally known as RFC 7252, might be lesser known to developers as it was approved only back in 2014 and has not been widely used until very recently.

What is CoAP?

CoAP falls into the category of machine-to-machine (M2M) protocols, which are designed to be used on devices with low computing power and memory. Being an application layer protocol, CoAP is similar to HTTP, with one major difference - it runs on top of UDP, which is a lighter data format compared to TCP, which, in turn, is used in case of HTTP.

However, the use of a UDP-based protocol comes with its own set of vulnerabilities like IP address spoofing and packet amplification, both of which are highly useful for launching large-scale scale DDoS attacks.

When an attacker sends a small packet to the targeted device and receives a much larger packet in response, it increases the severity of the DDoS attack. When targeting IoT devices using the CoAP protocol, the amplification factor can vary between 10 and 50, depending on several factors. Thus, its a potent target for DDoS attackers.

Moreover, attackers can easily take down a target using IP spoofing by replacing the “sender IP address” with the IP address of their target, which, in turn, results in a bombardment of large packets.

Though the protocol’s designers put in security measures to prevent these issues, it results in a very heavy implementation of the protocol, thus, losing the core benefit of being a lightweight protocol, Cloudflare researchers explained in a blog post. Due to this, most CoAP implementations run in “NoSec” security mode which makes them highly vulnerable to DDoS attacks.

The rise of CoAP

CoAP vulnerabilities remained relatively unnoticed since its release, as very few devices were using it. However, recently, the situation has drastically changed as the use of CoAP has grown tremendously. Hundreds of thousands of estimated CoAP devices are in use today, which is a massive contrast to last year, when merely a few thousand devices used CoAP.

According to Dennis Rand, founder of eCrimeLabs, the number of CoAP devices stood at only 6,500 in November 2017 which rose to 26,000 within a month and all the way to 278,000 by May 2018. Shodan estimates the current count of such devices between 580,000 to 600,000 Rand said during his talk at the RVAsec security conference in summer earlier this year. The use of CoAP in QLC Chain, a decentralized blockchain-based mobile network using WiFi nodes in China, is the reason behind this explosion of device counts, according to Rand.

However, attackers have already been actively exploiting these vulnerabilities. An anonymous security researcher told ZDNet about occasional CoAP attacks in recent months, with an average frequency of 55Gbps and the highest one at 320Gbps. Over half of the 580,000 CoAP devices are currently susceptible to abuse by attackers, with up to 46 times amplification factor, the researcher added.

• Most attacks recorded by the researcher have targeted various Chinese online services and some MMORPG platforms outside mainland China.
• The average frequency numbers are already over 10 times higher than the 4.6Gbps average for a normal DDoS attack, reported Link11
• It is currently unknown whether CoAP is being offered on DDoS-for-hire platforms, which would only exacerbate the threat.
• The growth of CoAP devices is expected to spread to other countries beyond China as sales of such devices manufactured in China grow in other countries.

Early warnings

Similar to other IoT-focused protocols, device manufactures who configure and ship CoAP devices are believed to be responsible for the improper security configuration that makes devices vulnerable to attacks. However, some experts sounded the alarm about such attacks way back in 2013, even before CoAP was approved.

This current threat could likely have been prevented if stringent regulations for IoT devices and their security had been put in place by governments. However, the silver lining in this dark cloud is that the increasing attention that the current threat has garnered could bring about a solution.

At the upcoming Black Hat security conference, Trend Micro researcher Federico Maggi is going to present his research about CoAP’s DDoS amplification potential.