Phone : +91 95 8290 7788 | Email :

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Attackers Use CoAP for DDoS Amplification

Attackers Use CoAP for DDoS Amplification

Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns. 

CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.

A DDoS attack leveraging CoAP begins with scans for devices that can be abused, and continues with a flood of packets spoofed with the source address of their target. At the moment, the attackers appear to have only basic knowledge of the protocol, but attacks could become more sophisticated.

According to NETSCOUT’s security researchers, the scanning for the CoAP protocol has been constant, with almost all GET requests for “/.well-known/core”. In January 2019, however, the researchers noticed a spike in the number of DDoS attacks leveraging the protocol. 

The average amplification factor for CoAP is 34 and the vast majority of Internet-accessible CoAP devices reside in China and utilize a mobile peer-to-peer network, the researchers reveal. With CoAP devices transient by nature and their addresses changing within weeks, attackers need to continually rescan to find IPs to abuse. 

Even so, it is possible for a threat actor to build a list of IPs that respond to CoAP, and then abuse these devices to continually send a flood of packets with a spoofed source address of the intended target, NETSCOUT says. 

The DDoS attacks leveraging CoAP hit targets “geographically and logically well distributed, with little commonality between them.” The attacks last on average just over 90 seconds and feature around 100 packets per second.

The security researchers found 388,344 CoAP devices on the Internet, with 81% of them located in China, but also some discovered in Brazil, Morocco, South Korea, and the United States. Most of the devices in China responded to /.well-known/core with a QLC Chain response (a peer-to-peer network). 

Given that the IP address of CoAP devices will change often, the vast majority of devices would have a different IP address within two weeks. This means that CoAP is less efficient in organizing DDoS attacks compared to SSDP, which boasts a similar amplification factor (but devices don’t move on the network as often). 

Although there are around 12 times as many SSDP devices accessible on the Internet compared to CoAP, attackers still decided to add the CoAP reflection/amplification DDoS vector to their arsenal, meaning that the protocol is likely to continue being abused in attacks. 

“With the vast majority of CoAP devices being located in China and running QLC Chain, it appears that the currently-abusable CoAP reflectors/amplifiers are part of a limited-scope software monoculture that will likely change as CoAP grows in popularity. The initial wave of attacks utilizes well known behavior of the protocol but there are other features, perhaps not as widely implemented, that could make CoAP even more effective,” NETSCOUT concludes. 

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India













What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.


Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.


Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : | Support Email :

Register & Request Quote | Submit Support Ticket