newer or more concrete information about actual attacks - Githubissues

EricssonResearch / coap-actuators

Other

3 stars 2 forks source link

newer or more concrete information about actual attacks #16

Closed emanjon closed 1 year ago

emanjon commented 2 years ago

https://mailarchive.ietf.org/arch/msg/core/Bk6-WKWQC4kTrVnq4FDiivSYH5U/

emanjon commented 2 years ago

I found a report from Radware and added some text refrencing that report

According to Radware {{DDoS-Report}}, CoAP was behind a significant part of DDoS attacks in Q4 2020 and Q1 2021, but not in Q2 and Q3 of 2021. https://www.radware.com/2021q3-ddos-report/

It seems unclear why the DDoS attacks using CoAP stopped and if they migth start again.

boaks commented 2 years ago

FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins

CoAP

In December 2018, cyber actors started abusing the multicast and command transmission features of the Constrained Application Protocol (CoAP) to conduct DDoS reflection and amplification attacks, resulting in an amplification factor of 34, according to open source reporting. As of January 2019, the vast majority of Internet-accessible CoAP devices were located in China and used mobile peer-to-peer networks.

"Abuse the multicast" makes me simply wondering. According Is multicast on the public internet possible? And if yes: How? it seems to be hardly possible.

I would prefer to leave this issue open to collect more information over time.

boaks commented 2 years ago

CoAP Attacks In The Wild

Beginning in the middle of January 2019, we began to see DDoS attacks leveraging CoAP. The targets were geographically and logically well distributed, with little commonality between them. An average attack lasts just over 90 seconds with about 100 packets-per-second generated by the attacker.

Not sure, 90s with 100 packets/s ?

That's in my opinion either a typo or a hoax. A raspberry PI can process without any trouble up to 1000 msg/s. So hard to see the attack.

boaks commented 2 years ago

CoAP Attacks In The Wild

Comparing scans performed two weeks apart, only 20% of the addresses appear in both scans. Compared to SSDP which boasts a similar amplification factor, the transient nature of CoAP devices means attackers have to constantly scan for abusable addresses in order to be effective.

Using the current numbers of Shodan/coap about 350.000, or Shadowserver/coap about 340.000 and assuming, that there are about 3702258944 public ip-address the hit-ratio is about 1:10000. So either an assumption to narrow the search range is required, or you need 10000 request ahead to find a target for amplification.

So let me repeat again: In my opinion I would prefer, if there is more concrete data about that "amplification abuse". For me too many sources don't verify to well.

boaks commented 2 years ago

Datagram Transport Layer Security (D/TLS) Reflection/Amplification DDoS Attack Mitigation Recommendations

Misconfigured D/TLS servers that do not implement the HelloClientVerify anti-spoofing mechanism can be abused to launch UDP reflection/amplification attacks with an amplification ratio of 37.34:1. The amplified attack traffic consists of both initial UDP fragmented packets sourced from UDP/443 and non-initial fragmented UDP packets, directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.

Approximately 4,283 abusable D/TLS servers have been identified to date.

A common ClientHello is about 150-200 bytes. That would result in in a flight with 7K as answer from the server. I think, the most IoT use-case will not use such "monster-certificate-chains". And for sure, use a HelloVerifyRequest. But anyway interesting.

boaks commented 2 years ago

DDoS Attack Vectors Live or Die

To perform this research, we use a high-powered scanner as part of a research initiative to ferret out vulnerable devices, protocols, and applications. Scans conducted on December 31st, 2019 revealed the following:
~616k - Devices vulnerable to abuse for COAP Version 1
~689k - Devices vulnerable to abuse for COAP Version 2
~166k - Devices vulnerable to abuse for Ubiquiti Discovery Protocol
These numbers might seem negligible compared to the sheer number of IoT and other devices available on the internet. However, further analysis revealed that attackers utilize an even smaller percentage of the available devices for attacks:
The largest attack we observed for COAP Version 1 used ~2,800 (0.46%) of the available 616k+ devices
The largest attack we observed for COAP Version 2 used ~2,900 (0.42%) of the available 689k+ devices
    The largest attack we observed in ATLAS was 148.93 Gbps for both COAP versions in the second half of 2019.*
The largest attack we observed for Ubiquiti used 24.57% of available devices
    The largest attack we observed in ATLAS was 348.91 Gbps in the second half of 2019.* 

Really interesting numbers. (I'm not sure, what coap version 1 and 2 means.) 148 Gbps / 5,700 = 25Mbps per device.

I guess, I try to write a e-mail at the weekend and see, If I can get some clarification/answers.

boaks commented 2 years ago

I found a web cast with more explanations about DDoS Attack Vectors Live or Die:

www.brighttalk.com/webcast

There "NETSCOUT Threat Intelligence Report 2H 2019".

The webcast declares for the COAP Version 1 an amplification of 34:1 and for version 2 of 6.5:1. That makes me belief, version 1 and 2 are not the versions of the protocol (with the 2 unknown), that are the versions (or better variants) of the that attack request.

(I also wrote a e-mail, but I think, that's 2 years too late ;-) ).

boaks commented 2 years ago

TP240PhoneHome Reflection/Amplification DDoS Attack Vector

The average packet size for that attack was approximately 60 bytes

exposed system test facility can be abused

One outcome of that attack may be, that using RFC7641 may also use SAV (Source Address Validation, e.g. echo-tag) in order to provide protection against such kinds of DoS attacks.

boaks commented 2 years ago

NetScout - DDoS Threat Landscape - Russia

The "Attack Duration Analysis" indicates, that about 70% of the attack takes not longer than 10 minutes.

The "DDoS Attack Vector Analysis" doesn't list CoAP at all.

boaks commented 2 years ago

Bad Actors Innovate, Extort, and Launch 9.7 Million DDoS Attacks

Direct-path attacks are gaining in popularity. Adversaries inundated organizations with TCP- and UDP-based floods, otherwise known as direct-path or nonspoofed attacks.

FMPOV, just preventing outgoing amplification is not enough. It's also important to get effective protection for incoming malicious traffic, as DTLS 1.2 based firewall

boaks commented 2 years ago

Using ML/AI for Better Network and DDoS Security Insights (April 6, 2022)

Traditional DDoS getting less important, misused botnets are increasing.

emanjon commented 2 years ago

Good discussion. Anything that should be added to the document?

boaks commented 2 years ago

Anything that should be added to the document?

Sure, don't "paint it black".

Remove the most indirect and not proofed information or at least mark them accordingly.

Take the statement:

"CoAP amplification attacks made a comeback in 2020 and CoAP was behind a significant part of global DDoS attacks in Q4 2020 and Q1 2021, but not at all in Q2 and Q3 of 2021 {{DDoS-2021}}."

and above

I found a report from Radware and added some text refrencing that report

According to Radware {{DDoS-Report}}, CoAP was behind a significant part of DDoS attacks in Q4 2020 and Q1 2021, but not in Q2 and Q3 of 2021. https://www.radware.com/2021q3-ddos-report/

If I read that "1108_DDos_1108_rev_enUS.pdf" (), coap is only found on two pages, 11 and 12. Page 11: "coap 0,154%" in figure 21, Top amplification volumes (normalized) in Q3 of 2021 Page 12: figure 22 associate the color #98d4ec with coap, unfortunately also with memcached. Nobody knows now, how to interpret figure 22. If colors are reused, I would interpret the in the order they listed. In 20Q4 #98d4ec is below the yellow, pointing to memcached not coap. in 21Q1 #98d4ec is below the green, also pointing to memcached not coap.

Where do you see "coap" mentioned in that report? Did you check with radware, if they really identified coap? Not that this is just a misinterpretation of the color and it's memcached.

For me, this shows, that the facts are too weak. There is no evidence, that coap amplification attacks play that role.

The same applies for the

"In 2020, the FBI cyber division mentioned CoAP in a public notification warning that cyber actors are increasingly likely to abuse network protocols for DDoS attacks {{DDoS-FBI}}."

From that document:

"In December 2018, cyber actors started abusing the multicast and command transmission features of the Constrained Application Protocol (CoAP) to conduct DDoS reflection and amplification attacks, resulting in an amplification factor of 34, according to open source reporting. As of January 2019, the vast majority of Internet-accessible CoAP devices were located in China and used mobile peer-to-peer networks."

"2018, factor 34" so this is not new, it's a "echo" of the {{DDoS-ZDNET}}. Why the FBI added the "multicast" is unclear. Maybe just someone put together some terms in order to make it looking more "dangerous".

All together: Please don't collect information, which is hard to verify. Try to verify that as best as possible.

emanjon commented 1 year ago

Yes, let's remove this section. The information is very vague and confusing.

emanjon commented 1 year ago

Seems to be agreement to remove the text.