Distributed Denial of Service attack analysis and mitigation for MQTTv5 shared subscription

IF 4.3 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computer Communications Pub Date : 2025-08-25 DOI:10.1016/j.comcom.2025.108298

Graziano Rizzo , Mattia Giovanni Spina , Floriano De Rango

{"title":"Distributed Denial of Service attack analysis and mitigation for MQTTv5 shared subscription","authors":"Graziano Rizzo , Mattia Giovanni Spina , Floriano De Rango","doi":"10.1016/j.comcom.2025.108298","DOIUrl":null,"url":null,"abstract":"<div><div>Sixth-generation (6G) networks will feature Massive IoT (M-IoT) deployments with a huge number of interconnected devices, enabling fast and reliable IoT applications. To address scalability and enhance message delivery, MQTTv5 introduces the <em>shared subscription</em> mechanism. However, the increased interconnectivity amplifies security vulnerabilities, posing significant risks with potentially severe consequences. In light of these challenges, this work aims to conduct a security-focused analysis of the shared subscription feature. Our study highlights the potential extent of damage from such an attack, which can potentially lead to indefinite <em>starvation</em> among legacy subscribers, and proposes a countermeasure to mitigate its impact. Additionally, to provide comprehensive security to the proposed mitigation mechanism, we design an Authenticated Encryption with Associated Data (AEAD)-based protection to counteract <em>external</em> malicious entities as well as an attacker detection mechanism based on a trust-based approach combined with the <em>z-score</em> statistical method to protect the proposed mitigation against <em>internal</em> attackers. These countermeasures are designed to accommodate the lightweight nature of MQTT and are characterized by a low protocol footprint while effectively mitigating the impact of the attack. Through an extensive experimental campaign, we tested this solution under real IoT traffic patterns to demonstrate its effectiveness and capability to restore the performance of the MQTT system targeted by the discovered attack.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"242 ","pages":"Article 108298"},"PeriodicalIF":4.3000,"publicationDate":"2025-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425002555","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Sixth-generation (6G) networks will feature Massive IoT (M-IoT) deployments with a huge number of interconnected devices, enabling fast and reliable IoT applications. To address scalability and enhance message delivery, MQTTv5 introduces the shared subscription mechanism. However, the increased interconnectivity amplifies security vulnerabilities, posing significant risks with potentially severe consequences. In light of these challenges, this work aims to conduct a security-focused analysis of the shared subscription feature. Our study highlights the potential extent of damage from such an attack, which can potentially lead to indefinite starvation among legacy subscribers, and proposes a countermeasure to mitigate its impact. Additionally, to provide comprehensive security to the proposed mitigation mechanism, we design an Authenticated Encryption with Associated Data (AEAD)-based protection to counteract external malicious entities as well as an attacker detection mechanism based on a trust-based approach combined with the z-score statistical method to protect the proposed mitigation against internal attackers. These countermeasures are designed to accommodate the lightweight nature of MQTT and are characterized by a low protocol footprint while effectively mitigating the impact of the attack. Through an extensive experimental campaign, we tested this solution under real IoT traffic patterns to demonstrate its effectiveness and capability to restore the performance of the MQTT system targeted by the discovered attack.

查看原文本刊更多论文

MQTTv5共享订阅的分布式拒绝服务攻击分析和缓解

第六代（6G）网络将以大规模物联网（M-IoT）部署为特色，其中包含大量互联设备，可实现快速可靠的物联网应用。为了解决可伸缩性问题并增强消息传递，MQTTv5引入了共享订阅机制。然而，互联性的增加放大了安全漏洞，带来了潜在严重后果的重大风险。鉴于这些挑战，本工作旨在对共享订阅特性进行以安全性为重点的分析。我们的研究强调了这种攻击的潜在损害程度，这可能导致遗留用户无限期饥饿，并提出了减轻其影响的对策。此外，为了为提议的缓解机制提供全面的安全性，我们设计了一种基于关联数据的身份验证加密（AEAD）保护来抵消外部恶意实体，以及一种基于基于信任的方法结合z-score统计方法的攻击者检测机制，以保护提议的缓解机制免受内部攻击者的攻击。这些对策旨在适应MQTT的轻量级特性，其特点是协议占用较少，同时有效地减轻了攻击的影响。通过广泛的实验活动，我们在真实的物联网流量模式下测试了此解决方案，以证明其有效性和恢复被发现攻击目标的MQTT系统性能的能力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Communications 工程技术-电信学

CiteScore

14.10

自引率

5.00%

发文量

397

审稿时长

66 days

期刊介绍： Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.