Links to CoAP or DTLS 1.2 research information - eclipse-californium/californium GitHub Wiki
Links to research information about CoAP or DTLS 1.2
General
IETF / core-wg
iana (Internet Assigned Numbers Authority)
Constrained Application Protocol (CoAP): Corrections and Clarifications
IETF / tls-wg
iana (Internet Assigned Numbers Authority)
Overviews Of Implementations
Performance analysis
Analysis of CoAP Implementations for Industrial Internet of Things: A Survey
It compares single request processing. The benefits from using californium comes with many clients at a moderate request rate each. Californium is able to process about 30.000 request per second (in sum) from several thousand clients using encryption on a J5005 (4x1.5 GHz CPU, 16 GB Ram).
Impact of CoAP and MQTT on NB-IoT System Performance
In my experience, using DTLS 1.2 with CID enables a CAT-NB (NB-IoT) modem to send data encrypted (package < 280 bytes) from sleep-mode (PSM) into the cloud and back in about 4s. That's hard to beat.
Content Object Security in the Internet of Things: Challenges, Prospects, and Emerging Solutions
Focus on the usage of protocol-translating gateways and hops (coap2coap-proxies).
Security - DTLS / CoAP
NIST database of known CoAP vulnerabilities
NIST database of known DTLS vulnerabilities
NIST database of known Californium vulnerabilities
NIST database of known tinyDtls vulnerabilities
CISA UDP-Based Amplification Attacks
"the coap protocol is the next big thing for ddos attacks"
The Fragility of Industrial IoT’s Data Backbone
Carsten Bormann, core-email-list, about the above links
Using coap without encryption in the public internet is hopefully something very temporary. The statements about using RFC 7959 - Blockwise seems to be wrong, because a peer can not request larger blocks than the other peer offers. Only a smaller blocksize could be negotiated.
Core - CoAP - Attacks, related github project
John Mattsson, core-email-list, Core - CoAP - Attacks, announcement with additional reference links
The references seems to refer to the same threat. FMPOV a good one is NETSCOUT, CoAP Attacks In The Wild. In sum, this is the same information as the "the coap protocol is the next big thing for ddos attacks" above.
NETSCOUT, DDoS Attack Vectors Live or Die
RFC 7457 - Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
Lucky 13, 2013 - Details and Mitigation
Lucky 13, 2018 - Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure
Plaintext-Recovery Attacks Against Datagram TLS
Lucky 13 affects both TLS and DTLS.
Generally, such a timing side-channel attack requires the processing time of crypto functions. Using java makes it much harder to get such timing signals with a useful quality. Especially, if executed in a multi-core/multi-processor platform as common for servers the times vary from run to run a lot. If the server is used for communication with other peers, also common for CoAP, useful timing signals will be even harder. Using resilient cipher suites helps also to overcome that threat.
For lucky 13, that means use CCM or GCM variants instead of the CBC.
This POODLE Bites: Exploiting The SSL 3.0 Fallback
Security - General
Robustness
Robustness Testing of CoAP Server-side Implementations
I'm not sure, what "californium-pt" is. The test seems to use californium 1.0.x. Running californium's plugtest server (2.0.x) now for more than a year in a public sandbox, I'm not aware, that it crashes.
Exploring the Possibilities of Robustness Testing CoAP Implementations Using Evolutionary Fuzzing
That test didn't cover californium.
Use it, and report your findings.
Research Sites - Current Scans
Very popular IoT search engine. Free and advanced plans. Offers APIs for automated usage.
Own basic research
The tests are done by sending a GET request to all public IPv4 addresses at port 5683 to check for CoAP servers. If a response is received back the server is counted and the size of the response is accumulated in a statistic. Additionally a ClientHello
is sent to all public IPv4 addresses at port 5684 to check for DTLS servers. If a HelloVerifyRequest
or ServerHello
is received back, then the server is counted.
(End of December 2021)
dtls: 1330
coap: 317509
avg.: 338.17, 5%: 7, 10%: 7, 50%: 143, 75%: 519, 90%: 983, 95%: 991, max.: 2029
The average response size is 338 bytes, the median is 143 bytes. The ratio of 1330 to 317509 is about 4%%
(End of January 2022)
dtls: 1443
coap: 344121
avg.: 341.01, 5%: 7, 10%: 7, 50%: 143, 75%: 519, 90%: 767, 95%: 991, max.: 2029
(End of February 2022)
dtls: 1436
coap: 351413
avg.: 345.15, 5%: 7, 10%: 7, 50%: 143, 75%: 519, 90%: 983, 95%: 991, max.: 2029
(End of March 2022)
dtls: 1521
coap: 352920
avg.: 347.99, 5%: 7, 10%: 7, 50%: 143, 75%: 519, 90%: 983, 95%: 991, max.: 2029
(End of April 2022)
dtls: 1496
coap: 325196
avg.: 350.38, 5%: 7, 10%: 7, 50%: 143, 75%: 519, 90%: 991, 95%: 991, max.: 2029
(End of May 2022)
dtls: 1536
coap: 320223
avg.: 338.66, 5%: 7, 10%: 7, 50%: 143, 75%: 519, 90%: 983, 95%: 991, max.: 2029
(End of June 2022)
dtls: 1518
coap: 311156
avg.: 332.93, 5%: 7, 10%: 7, 50%: 143, 75%: 519, 90%: 575, 95%: 991, max.: 2029