%% You should probably cite draft-ietf-core-attacks-on-coap instead of this I-D. @techreport{mattsson-core-coap-attacks-01, number = {draft-mattsson-core-coap-attacks-01}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-mattsson-core-coap-attacks/01/}, author = {John Preuß Mattsson and John Fornehed and Göran Selander and Francesca Palombini and Christian Amsüss}, title = {{CoAP Attacks}}, pagetotal = 25, year = 2021, month = jul, day = 27, abstract = {Being able to securely read information from sensors, to securely control actuators, and to not enable distributed denial-of-service attacks are essential in a world of connected and networking things interacting with the physical world. This document summarizes a number of known attacks on CoAP and show that just using CoAP with a security protocol like DTLS, TLS, or OSCORE is not enough for secure operation. The document also summarizes different denial-of-service attacks using CoAP. The goal with this document is motivating generic and protocol-specific recommendations on the usage of CoAP. Several of the discussed attacks can be mitigated with the solutions in draft-ietf-core-echo-request-tag.}, }