]> Ericsson AB

SE-164 80 Stockholm Sweden john.mattsson@ericsson.com

Ericsson AB

SE-164 80 Stockholm Sweden goran.selander@ericsson.com

Energy Harvesting Solutions

c.amsuess@energyharvesting.at

IRTF Thing-to-Thing next generation unicorn sparkling distributed ledger Protecting Internet of Things (IoT) devices against attacks is not enough. IoT deployments need to make sure that they are not used for Distributed Denial-of-Service (DDoS) attacks. DDoS attacks are typically done with compromised devices or with amplification attacks using a spoofed source address. This document gives examples of different theoretical amplification attacks using the Constrained Application Protocol (CoAP). The goal with this document is to raise awareness and to motivate generic and protocol-specific recommendations on the usage of CoAP. Some of the discussed attacks can be mitigated by not using NoSec or by using the Echo option. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Thing-to-Thing Research Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction One important protocol used to interact with Internet of Things (IoT) sensors and actuators is the Constrained Application Protocol (CoAP) . CoAP can be used without security in the so called NoSec mode but any Internet-of-Things (IoT) deployment valuing security and privacy would use a security protocol such as DTLS , TLS , or OSCORE to protect CoAP, where the choice of security protocol depends on the transport protocol and the presence of intermediaries. The use of CoAP over UDP and DTLS is specified in and the use of CoAP over TCP and TLS is specified in . OSCORE protects CoAP end-to-end with the use of COSE and the CoAP Object-Security option and can therefore be used over any transport. Group OSCORE can be used to protect CoAP Group Communication . Protecting Internet of Things (IoT) devices against attacks is not enough. IoT deployments need to make sure that they are not used for Distributed Denial-of-Service (DDoS) attacks. DDoS attacks are typically done with compromised devices or with amplification attacks using a spoofed source address. DDoS attacks is a huge and growing problem for services and critical infrastructure and mitigations are costly. The document gives examples of different theoretical amplification attacks using CoAP. When transported over UDP, the CoAP NoSec mode is susceptible to source IP address spoofing and as a single request can result in multiple responses from multiple servers, CoAP can have very large amplification factors. The goal with this document is to raise awareness and understanding of amplification attacks and to motivate mitigations suitable for constrained devices and networks. The intent is not to suggest that CoAP is more vulnerable to amplification attacks than other protocols. Some of the discussed attacks can be mitigated by not using NoSec or by using the Echo option .

Amplification Attacks using CoAP In a Denial-of-Service (DoS) attack, an attacker sends a large number of requests or responses to a target endpoint. The denial-of-service might be caused by the target endpoint receiving a large amount of data, sending a large amount of data, doing heavy processing, or using too much memory, etc. In a Distributed Denial-of-Service (DDoS) attack, the request or responses come from a large number of sources. In an amplification attack, the amplification factor is the ratio between the total size of the data sent to the target and the total size of the data received from the attacker. Note that in the presence of intermediaries, the size of the data received by the target might be different than the size of the data sent to the target and the size of the data received from the attacker might be different than the size of the data sent from the attacker. In the attacks described in this section, the attacker sends one or more requests, and the target receives one or more responses. By spoofing the source IP address of the targeted victim and requesting as much information as possible from several servers an attacker can multiply the amount of traffic and create a distributed denial-of-service attack on the target. When transported over UDP, the CoAP NoSec mode is susceptible to source IP address spoofing. The amplification factor and the bandwidth depend on the layer in the protocol stack that is used for the calculation. The amplification factor and bandwidth can e.g., be calculated using whole IP packets, UPD payloads, or CoAP payloads. The bandwidth decreases and the amplification factor typically increases higher up in the protocol stack. The bandwidth should be calculated using the layer that is considered to be under attack. The following sections give examples of different theoretical amplification attacks using CoAP.

Simple Amplification Attacks An amplification attack using a single response is illustrated in . If the response is c times larger than the request, the amplification factor is c.

Amplification attack using a single response | Code: 0.01 (GET) | | GET | Uri-Path: random quote | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Payload: "just because you own half the county | | | doesn't mean that you have the power | | | to run the rest of us. For twenty- | | | three years, I've been dying to tell | | | you what I thought of you! And now... | | | well, being a Christian woman, I can't | | | say it!" ]]>

An attacker can increase the bandwidth by sending several GET requests. If the server supports PUT/POST and doesn't limit the payload size, an attacker may be able to increase the amplification factor by creating or updating a resource. By creating new resources, an attacker may also increase the size of /.well-known/core. An amplification attack where the attacker influences the amplification factor is illustrated in .

Amplification attack using several requests and a chosen amplification factor | Code: 0.02 (POST) | | POST | Uri-Path: member | | | Payload: hampsterdance.hevc | | | .... .... | | | | +----->| Code: 0.02 (GET) | | GET | Uri-Path: member | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Payload: hampsterdance.hevc | | | | +----->| Code: 0.02 (GET) | | GET | Uri-Path: member | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Payload: hampsterdance.hevc .... .... ]]>

Amplification Attacks using Observe Amplification factors can be significantly worse when combined with observe . As a single request can result in multiple responses from the server, the amplification factors can be very large. An amplification attack using observe is illustrated in . If each notification response is c times larger than the registration request and each request results in n notifications, the amplification factor is c n.

Amplification attack using observe | Code: 0.01 (GET) | | GET | Token: 0x83 | | | Observe: 0 | | | Uri-Path: ozone | | | .... .... | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Token: 0x83 | | | Observe: 80085 | | | Payload: "21.4 ppbv" | | | .... .... | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Token: 0x84 | | | Observe: 80086 | | | Payload: "21.5 ppbv" .... .... ]]>

A more advanced amplification attack using observe is illustrated in . By registering the same client several times using different Tokens or port numbers, the bandwidth can be increased. By updating the observed resource, the attacker may trigger notifications and increase the size of the notifications. If the server supports the pmax conditional attribute an attacker may increase the frequency of notifications and therefore the amplification factor. The maximum period attribute pmax indicates the maximum time, in seconds, between two consecutive notifications (whether or not the resource state has changed). Servers should put limits on the pmax values they accept. If it is predictable when notifications are sent as confirmable and which Message ID are used the acknowledgements may be spoofed.

Amplification attack using observe, registering the same client several times, and requesting notifications at least 10 times every second | Code: 0.01 (GET) | | GET | Token: 0x83 | | | Observe: 0 | | | Uri-Path: temperature | | | Uri-Query: pmax="0.1" | | | | +----->| Code: 0.01 (GET) | | GET | Token: 0x84 | | | Observe: 0 | | | Uri-Path: temperature | | | Uri-Query: pmax="0.1" | | | .... .... | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Token: 0x83 | | | Observe: 217362 | | | Payload: "299.7 K" | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Token: 0x84 | | | Observe: 217362 | | | Payload: "299.7 K" | | | .... .... | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Token: 0x83 | | | Observe: 217363 | | | Payload: "299.7 K" | | | |<------------+ Code: 2.05 (Content) | | 2.05 | Token: 0x84 | | | Observe: 217363 | | | Payload: "299.7 K" .... .... ]]>

Amplification Attacks using Group Requests Amplification factors can be significantly worse when combined with observe . As a single request can result in responses from multiple servers, the amplification factors can be very large. As the group request is sent over multicast or broadcast the request has to be sent by a node on the local network. An attacker on a local network (e.g., a compromised node) might use local CoAP servers to attack targets on the Internet or on the local network. The servers might also be accessible through a gateway (GW) that transforms unicast requests into multicast request. In such architectures, amplification attacks using group requests might be possible to launch from the Internet. An amplification attack using a group request is illustrated in . A single unicast request results is transformed into a multicast group request by the gateway and results in m responses from m different servers. If each response is c times larger than the request, the amplification factor is c m. Note that the servers usually do not know the variable m.

Amplification attack using multicast | | Code: 0.01 (GET) | | | '----->| Token: 0x69 | | | GET | | Uri-Path: | | | | | |<-------------------+ | Code: 2.05 (Content) | | | 2.05 | | Token: 0x69 | | | | | Payload: { 1721 : { ... | | | | | |<----------------------+ Code: 2.05 (Content) | | | 2.05 | | Token: 0x69 | | | | | Payload: { 1721 : { ... | | | | | .... .... ]]>

Even higher amplification factors can be achieved when combining group requests and observe . In this case a single request can result in multiple responses from multiple servers. An amplification attack using a multicast request and observe is illustrated in . In this case a single request results in n responses each from m different servers giving a total of n m responses. If each response is c times larger than the request, the amplification factor is c n m.

Amplification attack using multicast and observe | | Code: 0.01 (GET) | | | '----->| Token: 0x44 | | | GET | | Uri-Path: temperature | | | | | |<-------------------+ | Code: 2.05 (Content) | | | 2.05 | | Token: 0x44 | | | | | Observe: 217 | | | | | Payload: "301.2 K" | | | | | |<----------------------+ Code: 2.05 (Content) | | | 2.05 | | Token: 0x44 | | | | | Observe: 363 | | | | | Payload: "293.4 K" | | | | | | .... .... | | | | | |<-------------------+ | Code: 2.05 (Content) | | | 2.05 | | Token: 0x44 | | | | | Observe: 218 | | | | | Payload: "301.3 K" | | | | | |<----------------------+ Code: 2.05 (Content) | | | 2.05 | | Token: 0x44 | | | | | Observe: 364 | | | | | Payload: "293.3 K" | | | | | .... .... ]]>

An attacker can use the same techniques as in to increase the number of notifications.

MITM Amplification Attacks TLS and DTLS without Connection ID validate the IP address and port of the other peer, binds them to the connection, and do not allow them to change. DTLS with Connection ID allows the IP address and port to change at any time. As the source address is not protected, an MITM attacker can change the address. Note that an MITM attacker is a more capable attacker then an attacker just spoofing the source address. It can be discussed if and how much such an attack is reasonable for DDoS, but DTLS 1.3 states that "This attack is of concern when there is a large asymmetry of request/response message sizes." . DTLS 1.2 with Connection ID requires that "the receiver MUST NOT replace the address" unless “there is a strategy for ensuring that the new peer address is able to receive and process DTLS records” but does not give more details than that. It seems like the receiver can start using the new peer address and test that it is able to receive and process DTLS records at some later point. DTLS 1.3 with Connection ID requires that "implementations MUST NOT update the address" unless “they first perform some reachability test” but does not give more details than that. OSCORE does not discuss address updates, but it can be assumed that most servers send responses to the address it received the request from without any reachability test. A difference between (D)TLS and OSCORE is that in DTLS the updated address is used for all future records, while in OSCORE a new address is only used for responses to a specific request. An MITM amplification attack updating the client's source address in an observe registration is illustrated in . This attack is possible in OSCORE and DTLS with Connection ID. The server will send notifications to the Victim until it at some unspecified point requires an acknowledgement . In DTLS 1.2 the reachability test might be done at a later point. In OSCORE a reachability test is likely not done.

MITM Amplification attack by updating the client's source address in a observe registration request S----->| Code: 0.01 (GET) | GET | | | Observe: 0 | | | | Uri-Path: humidity | | | | |<------------D <----+ Reachability test (DTLS) +-----------> S----->| | | | | .... .... .... | | | | | |<------------+ Code: 2.05 (Content) | | | 2.05 | Observe: 263712 | | | | Payload: "68 %" | | | | | |<------------+ Code: 2.05 (Content) | | | 2.05 | Observe: 263713 | | | | Payload: "69 %" .... .... .... ]]>

Where 'S' means the MITM attacker is changing the source address of the message and 'D' means the MITM attacker is changing the destination address of the message. An MITM amplification attack updating the server's source address is illustrated in . This attack is possible in DTLS with Connection ID. In DTLS 1.2 the reachability test might be done at a later point.

MITM Amplification attack by updating the server's source address in a response | Code: 0.01 (POST) | POST | | | Uri-Path: video | | | | |<-----S <-----------| Code: 2.01 (Created) | | | 2.01 | | | | | +----> D------------>| Reachability test (DTLS) |<-----S <-----------+ | | | | .... .... .... | | | | +------------>| | Code: 0.01 (POST) | POST | | | Uri-Path: video | | | | Payload: surveillance_1139.hevc | | | | +------------>| | Code: 0.01 (POST) | POST | | | Uri-Path: video | | | | Payload: surveillance_1140.hevc .... .... .... ]]>

Summary CoAP has always considered amplification attacks, but most of the requirements in , , , and are "SHOULD" instead of "MUST", it is undefined what a "large amplification factor" is, does not specify how many notifications that can be sent before a potentially spoofable acknowledgement must be sent, and in several cases the "SHOULD" level is further softened by “If possible" and "generally". does not have any amplification attack considerations. QUIC mandates that ”an endpoint MUST limit the amount of data it sends to the unvalidated address to three times the amount of data received from that address” without any exceptions. This approach should be seen as current best practice for non-constrained devices. While it is clear when a QUIC implementation violates the requirement in , it is not clear when a CoAP implementation violates the requirement in , , , and . In CoAP, an address can be validated with a security protocol or by using the Echo Option . Restricting the bandwidth per server is not enough as the number of servers the attacker can use is typically unknown. For multicast requests, anti-amplification limits and the Echo Option do not really work unless the number of servers sending responses is known. Even if the responses have the same size as the request, the amplification factor from m servers is m, where m is typically unknown. While DoS attacks from CoAP servers accessible over the Internet pose the largest threat, an attacker on a local network (e.g., a compromised node) might use local CoAP servers to attack targets on the Internet or on the local network.

Security Considerations The whole document can be seen as security considerations for CoAP.

IANA Considerations This document has no actions for IANA.

Informative References The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. The Constrained Application Protocol (CoAP) is a RESTful application protocol for constrained nodes and networks. The state of a resource on a CoAP server can change over time. This document specifies a simple protocol extension for CoAP that enables CoAP clients to "observe" resources, i.e., to retrieve a representation of a resource and keep this representation updated by the server over a period of time. The protocol follows a best-effort approach for sending new representations to clients and provides eventual consistency between the state observed by each client and the actual resource state at the server. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need for the ability to have basic security services defined for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. The Constrained Application Protocol (CoAP), although inspired by HTTP, was designed to use UDP instead of TCP. The message layer of CoAP over UDP includes support for reliable delivery, simple congestion control, and flow control. Some environments benefit from the availability of CoAP carried over reliable transports such as TCP or Transport Layer Security (TLS). This document outlines the changes required to use CoAP over TCP, TLS, and WebSockets transports. It also formally updates RFC 7641 for use with these transports and RFC 7959 to enable the use of larger messages over a reliable transport. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols. Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252. This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. This document specifies the Connection ID (CID) construct for the Datagram Transport Layer Security (DTLS) protocol version 1.2. A CID is an identifier carried in the record layer header that gives the recipient additional information for selecting the appropriate security association. In "classical" DTLS, selecting a security association of an incoming DTLS record is accomplished with the help of the 5-tuple. If the source IP address and/or source port changes during the lifetime of an ongoing DTLS session, then the receiver will be unable to locate the correct security context. The new ciphertext record format with the CID also provides content type encryption and record layer padding. This document updates RFC 6347. This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document obsoletes RFC 6347. This document specifies enhancements to the Constrained Application Protocol (CoAP) that mitigate security issues in particular use cases. The Echo option enables a CoAP server to verify the freshness of a request or to force a client to demonstrate reachability at its claimed network address. The Request-Tag option allows the CoAP server to match block-wise message fragments belonging to the same request. This document updates RFC 7252 with respect to the following: processing requirements for client Tokens, forbidding non-secure reuse of Tokens to ensure response-to-request binding when CoAP is used with a security protocol, and amplification mitigation (where the use of the Echo option is now recommended). Tampere University Dogtiger Labs Qualcomm Technologies This specification defines Conditional Notification and Control Attributes that work with CoAP Observe (RFC7641). Editor note The git repository for the draft is found at https://github.com/core- wg/conditional-attributes/ IoTconsultancy.nl InterDigital RISE AB This document specifies the use of the Constrained Application Protocol (CoAP) for group communication, including the use of UDP/IP multicast as the default underlying data transport. Both unsecured and secured CoAP group communication are specified. Security is achieved by use of the Group Object Security for Constrained RESTful Environments (Group OSCORE) protocol. The target application area of this specification is any group communication use cases that involve resource-constrained devices or networks that support CoAP. This document replaces and obsoletes RFC 7390, while it updates RFC 7252 and RFC 7641. RISE AB Ericsson AB Ericsson AB Ericsson AB RISE AB This document defines the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE), providing end-to-end security of CoAP messages exchanged between members of a group, e.g., sent over IP multicast. In particular, the described protocol defines how OSCORE is used in a group communication setting to provide source authentication for CoAP group requests, sent by a client to multiple servers, and for protection of the corresponding CoAP responses. Group OSCORE also defines a pairwise mode where each member of the group can efficiently derive a symmetric pairwise key with any other member of the group for pairwise OSCORE communication. Group OSCORE can be used between endpoints communicating with CoAP or CoAP-mappable HTTP.

Acknowledgements The authors would like to thank , , , , , , , , and for their valuable comments and feedback.