Follow
Hmm. Spent a chunk of today working out that a client's CoAP server was being used as an amplification service as part of a DDoS network 😞
The server wasn't (AFAICT) compromised, just being used to turn ~60 byte attack packets into ~540 byte attack packets, as well as presumably spreading out the attacking traffic's route through the Internet.
https://www.ietf.org/archive/id/draft-mattsson-t2trg-amplification-attacks-01.html goes into more depth, if anyone wants further background.