Introduction

The goal of this research is to identify the possible attacks that could be performed on IoT infrastructure, specifically a Mosquitto broker running with default configurations.

Possible attacks:

Amplification Attack

• Prescribes sending heavy messages periodically to mount a DoS attack towards the resource-constrained clients connected to the broker preventing them from receiving other messages -## Fast-Flood Attack
• The attacker publishes multiple packets with a high rate to seize the broker's resources
• The quality of service is set to 2, therefore not only exhausting the broker CPU resources but also the network

Heavy-Flood Attack

• Saturate the MQTT broker resources by sending many heavy messages on different topics with or without a set of subscribed clients
• It is possible to saturate the RAM and swap spaces (and be killed by the system) with just one malicious connected client if using default payload size (~255MB)
• Optionally, the attacker can set quality of service to 2 to saturate the network and broker resources
• This attack could also be exploited even further if there are no persistence or expiration settings in place since broker will need to store message until

Connect-Flood Attack

• The attacker instantiates a high number of connections with the server, in order to seize all available connections the MQTT broker is able to manage simultaneously
• Specifically exploits the CONNECT packet (major weakness in MQTT) supported by MQTT to instantiate the communication with the broker

Sources:

• https://st.fbk.eu/complementary/IOTSECFOR2021.html
• https://www.politesi.polimi.it/bitstream/10589/178090/1/2021_7_Ghannadrad.pdf
• Tool to find misconfigurations: https://github.com/stfbk/mqttsa