Adrian McEwen @amcewen@mastodon.me.uk
Hmm. Spent a chunk of today working out that a client's CoAP server was being used as an amplification service as part of a DDoS network 
The server wasn't (AFAICT) compromised, just being used to turn ~60 byte attack packets into ~540 byte attack packets, as well as presumably spreading out the attacking traffic's route through the Internet.
https://www.ietf.org/archive/id/draft-mattsson-t2trg-amplification-attacks-01.html goes into more depth, if anyone wants further background.
www.ietf.orgAmplification Attacks Using the Constrained Application Protocol (CoAP)
Protecting Internet of Things (IoT) devices against attacks is not enough.
IoT deployments need to make sure that they are not used for
Distributed Denial-of-Service (DDoS) attacks. DDoS attacks are
typically done with compromised devices or with amplification attacks
using a spoofed source address. This document gives examples of different
theoretical amplification attacks using the Constrained Application Protocol
(CoAP). The goal with this document is to raise awareness and
to motivate generic and protocol-specific recommendations on the usage of
CoAP. Some of the discussed attacks can be mitigated by not using
NoSec or by using the Echo option.