Amplification Attacks using Observe

[boaks]

Amplification factors can be significantly worse when combined with observe {{RFC7641}} and group requests {{I-D.ietf-core-groupcomm-bis}}. As a single request can result in multiple responses from multiple servers, the amplification factors can be very large.

I would prefer, to first list the single observe attack and then extend that with "multicast". Not all belief, that "multicast" is a good attack vector. It may be applied in a "local network", but spoofed external source addresses will not work too easy, if at all.

[boaks]

requesting notifications at least 10 times every second

AFAIK, the notifications are sent, when the resource is changing. So the attacker has no control of the notifications interval.

"requesting notifications maybe 10 times every second"

[emanjon]

Please continue discussion at https://github.com/t2trg/t2trg-amplification-attacks/issues/3

(Due to lack of owner rights I could not transfer this repository and instead had to make a new one, I will manually create new issues there for any open issues).