What is CoAP (Constrained Application Protocol)?

Table of Contents

Introduction

Do you ever wonder how smart thermostats, climate control systems, building access systems, or machine monitoring devices communicate over the internet to help make sure everything is working as it should, or alert you when there’s a potential problem?

These Internet of Things (IoT) devices have limited processor, memory, and power resources, and sometimes have to operate in challenging network environments where network connectivity may be limited. So, developers must be savvy and optimize their design so they can operate as they should despite resource-constraints. The Constrained Application (CoAP) protocol has low overhead and high reliability, so it’s ideally suited to enable communication for resource-constrained devices and networks.

In this blog we’ll discuss the role of CoAP in IoT, including its benefits and functionality. We’ll also compare CoAP with HTTP and MQTT, two closely related protocols, and explore the cyber risks that organizations face as IoT devices proliferate and how to mitigate that risk.

How Does CoAP Function?

Every internet user is familiar with HTTP which stands for Hypertext Transfer Protocol and is a core component of everyday Internet use. Each time you type a website URL into a browser, click on a link, or click on a mobile web application on your phone, HTTP works behind the scenes to enable information exchange.

CoAP functions as a sort of HTTP for restricted devices, enabling equipment such as sensors to communicate within the interconnected IoT fabric. These sensors communicate by passing along their data to another device or server. Also, like HTTP, the communication is based on a request-reply model, although a reply is not always required. CoAP succeeds in networks with a lot of congestion or limited connectivity, where other protocols, such as HTTP and MQTT, can’t exchange information successfully. CoAP can also continue to operate reliably even in environments where there is poor signal quality.

CoAP’s Role in IoT

The IoT market is continuing to grow rapidly and is expected to reach 18.8 billion devices by the end of 2024 according to research firm IoT Analytics, up from 16.6 billion at the end of 2023. That’s a huge number of devices. But if you think about the applications of IoT devices in smart home automation, industrial settings, environmental monitoring, smart agriculture, healthcare wearables, and smart cities – around the world – you can see where that number comes from.

As a communication protocol that is highly adaptable to diverse IoT applications, CoAP helped to facilitate the development of these applications and spur market growth. Key characteristics including its lightweight design, efficient use of network resources, and compatibility with HTTP principles, make it a seamless way for IoT devices to communicate and interact.

Implementation of CoAP in Modern Technology

Established protocols like HTTP that rely on TCP/IP, work well in traditional computing environments where devices have ample memory and processing power and access to high bandwidth networks to deliver a continuous stream of information, faster. However, this increased overhead is completely ill-suited to devices such as wearables, sensors, and embedded systems that operate under stringent resource limitations. Additionally, the requirements for constant connection and session management aren’t workable for IoT devices that often have intermittent connectivity and limited energy reserves.

CoAP was introduced in 2014 to address these limitations and create a way for IoT devices to communicate efficiently within their resource-constrained environments. Instead of using TCP/IP, CoAP operates over UDP to create a lightweight approach to data transmission that is ideally suited for IoT applications where intermittent bursts of information are sent as needed. CoAP supports this through the concept of “observe”. For example, in a climate-controlled situation a device will send a message when it senses a drop or increase in temperature that exceeds a predetermined threshold, instead of sending updates continuously.

Benefits of CoAP for IoT

CoAP has been a boon for IoT devices, delivering a host of benefits that have accelerated the development of new product categories and entire industries.

Efficient Resource Utilization

CoAP is a very lightweight to conserve resources which makes it very suitable for low-power devices and networks.

Low Overhead

Because CoAP uses UDP instead of HTTP it requires less overhead, so it works well in constrained environments.

Scalability

CoAP’s architecture is easily adaptable to various devices across diverse IoT applications for a high degree of scalability.

Intermittent Connectivity

CoAP’s ability to observe and then communicate allows devices to exchange data efficiently and only as needed.

Multicast Communication

CoAP can send information to multiple devices simultaneously for efficient communication.

Confirmable Messages

To ensure critical messages are received and processed, CoAP provides the option of including a request for acknowledgement from the recipient that a message was received.

CoAP Functionality

CoAP is a protocol created specifically for IoT communication and the landscape of diverse devices and applications.

The Role of CoAP in IoT Devices

CoAP offers a streamlined way for IoT devices to send and receive information. It is designed to adapt to the constraints of low-powered devices, enabling them to communicate while conserving energy resources. Its use of UDP and its simple request-response model allows IoT devices to communicate efficiently and reliably, whether sending sensor data, receiving commands, or participating in more complex interactions.

Message Distribution in CoAP

CoAP supports both unicast (one-to-one) and multicast (one-to-many) communication to optimize message distribution efficiency. For example, for specific queries or commands, unicast works well. However, for alerts or updates, multicast message distribution optimizes network usage and reduces the overall communication overhead.

CoAP vs HTTP

CoAP is often thought of as HTTP for IoT devices, and their similarities and differences reflect that. Both use similar structures so the transition to CoAP from HTTP is relatively easy for developers. However, as their differences reflect, CoAP is tailored for IoT devices and the resource-constrained networks in which they operate. Meanwhile, HTTP is used in traditional computing environments and the web where its features make it inherently more reliable and robust, but also create overhead and inefficiencies for constrained devices and networks.

Similarities between CoAP and HTTP

Request-Response Model
Both CoAP and HTTP follow a request-response communication model where the client sends a request, and the server responds with data or an action.
Header Fields
Both CoAP and HTTP use header fields with metadata about the request or response.
URI Structure
Both CoAP and HTTP specify the target resource in a standardized format.

Differences between CoAP and HTTP

Transport Protocol
CoAP: Works over UDP, which is connectionless and lightweight.
HTTP: Works over TCP which ensures reliable and ordered communication but with higher overhead than UDP.
Header Size
CoAP: Smaller headers help limit overhead.
HTTP: More extensive headers provide additional metadata and features.
Efficiency
CoAP: Supports features that enable efficiency, like tokenization which allows lightweight state tracking, as well as “observe” which reduces the need for frequent polling.
HTTP: Additional metadata and features come at the cost of efficiency.
Reliability
CoAP: Acknowledgement feature to confirm receipt of messages can be turned on for more critical messaging but isn’t always on.
HTTP: The request-response feature embeds reliable communication within the design.

CoAP vs MQTT (Message Queuing Telemetry Transport)

Think of MQTT is a precursor to CoAP. Like HTTP, MQTT is a client-server protocol that runs over TCP connections. However, MTTQ was designed for machine-to-machine communication, which today is subsumed into the broader category of IoT.

Despite MQTT’s applicability for IoT devices and similarities with CoAP, MQTT and CoAP in IoT have important differences. Many of these differences stem from the fact that MQTT was designed 15 years before CoAP. This makes MQTT a more mature protocol than CoAP with more resources available to developers such as libraries and tools and, therefore, more widespread adoption. Although, CoAP is gaining in popularity. MQTT was also designed specifically to collect and process data from oil and gas pipelines. So, its model is well suited for applications of similar scope and usage. Let’s compare them more closely.

Similarities between CoAP and MQTT

IoT Communication Protocols
Both CoAP and MQTT are designed to exchange data efficiently between IoT devices and applications.
Lightweight and Little Overhead
Both CoAP and MQTT have minimal overhead and are lightweight, so they work well for devices that have limited processing power, memory, and bandwidth.
Publish-subscribe Model
Both CoAP and MQTT publish data to specific topics that other devices can subscribe to and receive data on those topics.
Quality of Service (Qos)
Both CoAP and MQTT include capabilities to ensure the reliable delivery of messages based on the importance of the data being transferred.

Differences between CoAP and MQTT

Transport Protocol
CoAP: Works over UDP, which is connectionless and lightweight.
MQTT: Works over TCP which ensures reliable and ordered communication but with higher overhead than UDP.
Message Type
CoAP: Supports both unicast and multicast and is designed to interact with resources directly.
MQTT: Works over TCP which ensures reliable and ordered communication but with higher overhead than UDP.
Resource Interaction
CoAP: Designed for direct interaction with resources.
CoAP: Designed for direct interaction with resources.
Topic Structure
CoAP: Uses the URI structure to send or request data from a particular resource or group of resources, which is similar to HTTP.
MQTT: Uses a more topic-based structure to organize messages.
Usage and Scope
CoAP: Ideally suited for monitoring and controlling IoT devices with limited resources.
MQTT: Ideal for large-scale deployments where devices need to publish data to multiple subscribers efficiently, such as real-time telemetry, monitoring, and remote sensing applications.

How Does CoAP Work?

Let’s look more closely at how CoAP operates from a technical standpoint to bring these pieces together and understand the unique value of CoAP to IoT communications.

  • Request-Response Model: As with HTTP, a client initiates a request to a server or directly to an IoT device which responds with the requested data or action. The format used is very similar to HTTP including GET, PUT, POST, and DELETE. This simplifies interaction with both IoT device-to-server communication and directly between devices.
  • Use of UDP: CoAP’s use of UDP instead of TCP is ideal for constrained environments as it requires less overhead. However, it also is less reliable than TCP. To make up for that, CoAP offers three levels of reliability (confirmable messaging, non-confirmable, and acknowledgement) to support various use cases.
  • Multicast Support: In instances where different devices need to receive the same message, CoAP messages can be sent to multiple recipients simultaneously. This helps reduce network traffic and increase efficiency.
  • Observe Mechanism: Further increasing efficiency, CoAP can request to “observe” the state of a device and receive updates when the device changes, instead of frequently polling. This conserves energy and bandwidth.
  • Tokenization and Message ID: To ensure the right message is going to the right device and vice versa, CoAP uses tokenization and message ID to correlate and confirm communication.
  • Proxying and Caching: Where scaling and optimization are needed, CoAP can use intermediary devices to forward requests between clients and servers. It also uses caching to enhance performance and reduce network traffic.

IoT Devices and DDoS Attacks

CoAP uses Datagram Transport Layer Security (DTLS) for secure communication, including protection against many attacks. Although when CoAP security features are implemented, the protocol isn’t as light. So DTLS is not always turned on.

Unfortunately, when security measures aren’t implemented, like any other UDP-based protocol, CoAP is susceptible to IP address spoofing and packet amplification that can lead to significant DDoS attacks, such as a UDP Flood DDoS attack. In this type of attack, threat actors spoof a target’s IP address and send out requests for information to vulnerable servers that send responses back to the victim’s actual IP address, overwhelming the victim’s servers. Threat actors can also target IoT devices and use them to form DDoS botnets.

Given that IoT devices like scanners, wearables, and phones move around, attackers have to scan for IP addresses they can use to execute an attack. This adds another step to the threat actor’s process. But once that piece of information is obtained, they can execute disruptive and damaging attacks, including hybrid attacks that combine a DDoS attack with other attack types such as ransomware, malware, and physical tampering.

Mitigating and Defending Against DDoS Attacks to IoT Devices

To mitigate cyber threats to IoT devices and defend against DDoS attacks, organizations should use a combination of best practices and technology, including:

  • Deploy CoAP security features. Whenever possible, implement the security features available through CoAP including DTLS.
  • Validate inventory. Discover all connected IoT devices and keep an accurate inventory.
  • Maintain good cyber hygiene. Adopt security password practices and reset passwords frequently.
  • Apply segmentation. Apply network segmentation to limit the movement of traffic from IoT devices to other parts of the network.
  • Patch systems. Make sure all connected IoT devices are up to date with patches, including updating UDP and firmware.
  • Proactively monitor devices and traffic: Know your baseline traffic patterns and device behavior and continuously monitor for anomalies that could indicate an attack.
  • Use endpoint detection/protection technology. This technology secures devices at the network edge and protects against malware and ransomware. However, because IoT devices are resource-constrained, not all devices can run this software.
  • Use a DDoS protection platform. The most comprehensive way to mitigate DDoS attacks is with DDoS protection. The best solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on threats including data leakage, ransom attacks, and other threats to your operations.

Conclusion

Spurring growth opportunities in virtually every industry, the use of IoT devices will continue to expand and with that the use of CoAP in IoT devices. Although a relatively new protocol, the use of CoAP in IoT devices has been gathering momentum thanks to being lightweight and able to run on devices with scarce memory and computing resources. CoAP works on top of UDP, a lighter alternative to TCP. However, it shares some similarities with HTTP which facilitates developer adoption and compatibility with other systems and applications.

If your organization relies on IoT devices, you need to ensure you are protecting sensitive data and critical services from being disrupted by a DDoS attack and protect them from being recruited into a botnet. Whenever possible, implement the security features available through CoAP, including DTLS. Additionally, there are multiple best practices and technologies you can use to defend against DDoS attacks to your IoT devices, including validating IoT device inventory, maintaining good cyber hygiene, applying segmentation, patching systems, proactively monitoring devices and traffic, using endpoint detection/protection tools, and using a DDoS protection solution.

DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even in the midst of a DDoS attack that targets CoAP in IoT devices. DDoS protection and can also protect you from other types of DDoS attacks and the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on DDoS defense in depth.

Share the Post: