Connect with us

Hi, what are you looking for?


Network Security

Attackers Use CoAP for DDoS Amplification

Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns. 

Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns. 

CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.

A DDoS attack leveraging CoAP begins with scans for devices that can be abused, and continues with a flood of packets spoofed with the source address of their target. At the moment, the attackers appear to have only basic knowledge of the protocol, but attacks could become more sophisticated.

According to NETSCOUT’s security researchers, the scanning for the CoAP protocol has been constant, with almost all GET requests for “/.well-known/core”. In January 2019, however, the researchers noticed a spike in the number of DDoS attacks leveraging the protocol. 

The average amplification factor for CoAP is 34 and the vast majority of Internet-accessible CoAP devices reside in China and utilize a mobile peer-to-peer network, the researchers reveal. With CoAP devices transient by nature and their addresses changing within weeks, attackers need to continually rescan to find IPs to abuse. 

Learn about DDoS Attacks

Even so, it is possible for a threat actor to build a list of IPs that respond to CoAP, and then abuse these devices to continually send a flood of packets with a spoofed source address of the intended target, NETSCOUT says. 

The DDoS attacks leveraging CoAP hit targets “geographically and logically well distributed, with little commonality between them.” The attacks last on average just over 90 seconds and feature around 100 packets per second.

The security researchers found 388,344 CoAP devices on the Internet, with 81% of them located in China, but also some discovered in Brazil, Morocco, South Korea, and the United States. Most of the devices in China responded to /.well-known/core with a QLC Chain response (a peer-to-peer network). 

Advertisement. Scroll to continue reading.

Given that the IP address of CoAP devices will change often, the vast majority of devices would have a different IP address within two weeks. This means that CoAP is less efficient in organizing DDoS attacks compared to SSDP, which boasts a similar amplification factor (but devices don’t move on the network as often). 

Although there are around 12 times as many SSDP devices accessible on the Internet compared to CoAP, attackers still decided to add the CoAP reflection/amplification DDoS vector to their arsenal, meaning that the protocol is likely to continue being abused in attacks. 

“With the vast majority of CoAP devices being located in China and running QLC Chain, it appears that the currently-abusable CoAP reflectors/amplifiers are part of a limited-scope software monoculture that will likely change as CoAP grows in popularity. The initial wave of attacks utilizes well known behavior of the protocol but there are other features, perhaps not as widely implemented, that could make CoAP even more effective,” NETSCOUT concludes. 

Related: Authorities Track Down Users of DDoS Services

Related: U.S. Authorities Take Down 15 DDoS-for-Hire Websites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.