IoT Protocol Vulnerable to Exploitation for DDoS Attacks

IoT vulnerabilities

Internet of Things (IoT) devices are transforming the world. Their evolution enables the development and automation of Industries and Cities. The number of connected devices is now huge and increases efficiency wherever they are used.

IoT devices are now well understood to be largely exposed from a security perspective, as their software is rarely updated, and they often have non-configurable or default passwords.  The latest discovery, is a vulnerability in the connections to IoT devices and the protocol commonly used to exchange information between them.


Constrained Application Protocol (CoAP) is a machine-to-machine (M2M) protocol, described in RFC 7252, designed for web transfer between smart IoT devices. CoAP is based on HTTP but uses the User Datagram Protocol (UDP) at transport layer. It is capable of the key Web REST concepts, such as GET and POST.

CoAP supports 4 message types, indicated by the following 2 bits:

  • CON: 00 (Confirmable Message Request). If the client does not receive an ACK it retransmits the same CON message
  • NON: 01 (Non-Confirmable Request). The client does not expect an ACK message.
  • ACK: 10 (Acknowledgement/Payload).
  • RST: 11 When NON-Message cannot be processed by a recipient. It may reply with (RST)

It is the use of UDP which makes CoAP vulnerable. As with other UDP reflection vectors, attackers send simple queries to vulnerable reflectors, using spoofed IPs, so the amplified response is sent to the victim. For this CoAP attack, the reflector response is amplified with a factor which can be in excess of 30, enabling large floods of DDoS traffic to be generated.

In 2017 the number of CoAP reflectors was around 6,000. Today, according Shodan (a search engine for Internet-connected devices), there are 572,615 vulnerable reflectors around the world, including Philippines, China and Russia as the top host countries. The top 4 Organizations are all telecommunication Companies.

Investigations revealed that most CoAP reflectors respond to the “/.well-known/core” request for hosted resource links, if a QLC Chain (qlink) Payload is used. QLC Chain is a public decentralized peer-to-peer Network-as-a-service (NAS) for exchanging data and services.

Amplification Factor

Attacker use vulnerable CoAP nodes as amplifiers, converting light CoAP requests into  much larger response packets. CoAP uses a discovery mechanism to obtain the list of linked resources. An URI can be queried with GET (/.well-known/core) to obtain a list of resources known to that node.

The smallest CoAP message is 4 bytes in length, followed by a variable length token between 0 and 8 bytes to correlate the requests/responses. With a 21 byte GET request, the average response has been seen to increase around 28 times.

Attack Timeline

Over past year Corero detected and mitigated more than 350 CoAP anomalies. Illustrated below is the increasing trend over the past 12 months.  Between August and December 2019 few attacks were reported, while between January to July this increased to over 300.

Corero recorded an average duration of 26 minutes across all the CoAP attacks, with the longest lasting for 5 days. Taking this extreme out of the equation, the average is around 6 minutes per attack. Some of those anomalies were multi-vector and many included destination unreachable responses, which are a clear indicator of a reflection attack.

Some of the largest attacks reached around 7 Gbps and lasted more than 45 minutes. This is not extremely high, when compared to other reflection attacks, such as DNS, LDAP or NTP but, it can still be enough to significantly impact a victim.

In terms of location, the top source countries were China, with more than 80%, followed by Philippines Thailand and Russia. The majority of the source Autonomous System Numbers (ASN), during the analysis period, belonged to Mobile Communication Enterprises Located in China.

Requests were typically sent to port 5683 asking for a Discovery response, with a relatively fixed payload. Almost every attack analyzed had a similar Qlink payload.


There are clear signs which point to CoAP being exploited to carry out reflective DDoS attacks. The most obvious, is the presence of ICMP failed reflector responses, with all the recoded packets being ACK.  This is likely propagated by the ease with which a list of vulnerable CoAP nodes can be collated, using readily available tools such as NMAP or Shodan. Investigations have shown that most vulnerable nodes change their address every 2 weeks. The use of out-of-date device lists would explain the considerable number of failed reflectors seen with these attacks.

Reflective DDoS remains one of the most popular attack types and IoT protocols are now exacerbating this trend. Registered CoAP anomalies may affect business and connectivity. Due to CoAP increased popularity, this anomaly may change and be more effective in the near future.

As recently as February CoAP was only being used to target a few organizations. However, since then, it looks like the CoAP attack is becoming much more popular, with a greater number of attacks and enterprises being impacted by it.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.