Hmm. Spent a chunk of today working out that a client's CoAP server was being used as an amplification service as part of a DDoS network
The server wasn't (AFAICT) compromised, just being used to turn ~60 byte attack packets into ~540 byte attack packets, as well as presumably spreading out the attacking traffic's route through the Internet.
https://www.ietf.org/archive/id/draft-mattsson-t2trg-amplification-attacks-01.html goes into more depth, if anyone wants further background.
@amcewen We're still curious about attack scenarios that interact with this draft. Was this a Simple Amplification Attack or was anything more fancy involved? Would the system also have been flagged as a DDoS amplification vector if it had adhered to the RFC9175 2.4 item 3 numbers and sent (depending on what your 60/540 bytes include) 136 bytes plus UDP/IP headers?
@chrysn Ah, thanks for getting in touch! Wasn't sure who/where to report this more widely.
It was a simple attack, and the 60/546 includes the IP packet and ethernet frame. It was a repeated GET request for '/', plus a 5 byte random trailer in the UDP payload.
I've got a wireshark dump of a bunch of traffic, if that's useful?
I'll have a read of RFC9175 now.
@chrysn now I've read RFC9175 (got sidelined the other day, and we'd mitigated the attack by then) it would have been flagged as DDoS amplification.
I've also raised it with Thingsboard, to hopefully get it plugged/improved upstream.