Abstract
MQTT, a popular IoT messaging protocol, is frequently associated with numerous vulnerabilities, the majority of which are critical. Many IoT devices that utilize MQTT are susceptible to cyberattacks such as denial-of-service and buffer overflow. In this paper, we unveil a novel Denial of Service (DoS) attack in the MQTT protocol, referred to as Slow Subscribers, which has the potential to cause MQTT brokers to become single points of failure. Unlike existing MQTT DoS attacks, Slow Subscribers can occur on a single compromised node and could potentially disrupt a MQTT broker with minimal subscription permissions. We evaluated the reliability of Mosquitto and NanoMQ, two popular MQTT messaging brokers, to determine the effect of Slow Subscribers. According to the findings of our investigation, NanoMQ outperforms Mosquitto in response to the Slow Subscribers attack at QoS level 0. We also determine that the response to Slow Subscribers at QoS 2 is the worst for both broker implementations. In addition, the results of our experiments indicate that Eclipse Mosquitto achieves a higher rate of reliability than NanoMQ on cloud deployments whereas NanoMQ has proven to be well-suited for edge environments, especially edge IoT devices that require the use of QoS levels 0 and 1. Finally, we propose a Resilient Middleware for Message Queue Telemetry Transport (Remistry) framework that is capable of detecting misconfigurations while providing granular support of resource commitment errors, in particular the out-of-memory (OOM) problems for effectively mitigating the impact of Slow Subscribers attacks on MQTT brokers.
Similar content being viewed by others
Data availability
All of the data used in this study is (or will be made) publicly available (if accepted). The dataset for Slow Subscribers used and assessed during the current study is available on GitHub.com.
Abbreviations
- M2M:
-
Machine-to-Machine
- MOM:
-
Message-oriented middleware
- MQTT:
-
Message Queuing Telemetry Transport
- IoT:
-
Internet of Things
- IIoT:
-
Industrial Internet of Things
- SCADA:
-
Supervisory Control and Data Acquisition
- DoS:
-
Denial of service
- TCP:
-
Transmission Control Protocol
- OOM:
-
Out-of-memory
- IPC:
-
Inter-Process Communication
- QoS:
-
Quality of service
References
Albano, M., Ferreira, L.L., Pinho, L.M., Alkhawaja, A.R.: Message-oriented middleware for smart grids. Comput. Stand. Interfaces 38, 133–143 (2015)
Hunkeler, U., Truong, H.L., Stanford-Clark, A.: MQTT-S—a publish/subscribe protocol for wireless sensor networks. In: 2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE’08), pp. 791–798. IEEE (2008)
Singh, M., Rajan, M., Shivraj, V., Balamuralidhar, P.: Secure MQTT for internet of things (IoT). In: 2015 Fifth International Conference on Communication Systems and Network Technologies, pp .746–751. IEEE (2015)
Al-Masri, E., Kalyanam, K.R., Batts, J., Kim, J., Singh, S., Vo, T., Yan, C.: Investigating messaging protocols for the internet of things (IoT). IEEE Access 8(94), 880–911 (2020)
Eclipse Foundation. IoT edge developer survey report. https://iot.eclipse.org/community/resources/iot-surveys/ (2022)
IIoTWorld. Survey results: MQTT widely used in IIoT. https://www.iiot-world.com/industrial-iot/connected-industry/survey-results-mqtt-widely-used-in-iiot (2022)
Liu, Y., Al-Masri, E.: Evaluating the reliability of MQTT with comparative analysis. In: 2021 IEEE 4th International Conference on Knowledge Innovation and Invention (ICKII), pp. 24–29. IEEE (2021)
OASIS. MQTT specification. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=mqtt (2022)
Open, O.: MQTT version 3.1.1, OASIS standard. https://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html (2022)
Yokotani, T., Sasaki, Y.: Comparison with HTTP and MQTT on required network resources for IoT. In: 2016 International Conference on Control, Electronics, Renewable Energy and Communications (ICCEREC), pp. 1–6. IEEE (2016)
Internet of Things Research Group (INTRES), MQTT dataset. https://github.com/uwtintres/MQTT-Dataset (2022)
Jutadhamakorn, P., Pillavas, T., Visoottiviseth, V., Takano, R., Haga, J., Kobayashi, D.: A scalable and low-cost MQTT broker clustering system. In: 2017 2nd International Conference on Information Technology (INCIT), pp. 1–5. IEEE (2017)
Pipatsakulroj, W., Visoottiviseth, V., Takano, R.: MUMQ: a lightweight and scalable <QTT broker. In: 2017 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN), pp. 1–6. IEEE (2017)
Sen, S., Balasubramanian, A.: A highly resilient and scalable broker architecture for IoT applications. In: 2018 10th International Conference on Communication Systems & Networks (COMSNETS), pp. 336–341. IEEE (2018)
Wang, J., Jiang, P., Bigham, J., Chew, B., Novkovic, M., Dattani, I.: Adding resilience to message oriented middleware. In: Proceedings of the 2nd International Workshop on Software Engineering for Resilient Systems, pp 89–94. (2010)
Narkhede, N., Shapira, G., Palino, T.: Kafka: The Definitive Guide. O'Reilly Media, Inc. (2017)
Yongguo, J., Qiang, L., Changshuai, Q., Jian, S., Qianqian, L.: Message-oriented middleware: a review. In: 2019 5th International Conference on Big Data Computing and Communications (BIGCOM), pp. 88–97. IEEE (2019)
Savola, R.M., Abie, H., Bigham, J., Rotondi, D.: Innovations and advances in adaptive secure message oriented middleware. In: 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops, pp. 288–289. IEEE (2010)
Luzuriaga, J.E., Cano, J.C., Calafate, C., Manzoni, P., Perez, M., Boronat, P.: Handling mobility in IoT applications using the MQTT protocol. In: 2015 Internet Technologies and Applications (ITA), pp. 245–250. IEEE (2015)
Mehta, A., Gustafson, J.: Transactions in apache Kafka. https://www.confluent.io/blog/transactions-apache-kafka (2022)
NGINX. Tuning NGINX for performance, NGINX. HTTP load balancer. https://www.nginx.com/blog/tuning-nginx (2022)
Liu, X., Pan, L., Wang, C.J., Xie, J.Y.: A lock-free solution for load balancing in multi-core environment. In: 2011 3rd International Workshop on Intelligent Systems and Applications, pp. 1–4. IEEE (2011)
Vaccari, I., Aiello, M., Cambiaso, E.: SlowITe, a novel denial of service attack affecting MQTT. Sensors 20(10), 2932 (2020)
Vaccari, I., Aiello, M., Cambiaso, E.: SlowTT: a slow denial of service against IoT networks. Information 11(9), 452 (2020)
Syed, N.F., Baig, Z., Ibrahim, A., Valli, C.: Denial of service attack detection through machine learning for the IoT. J. Inf. Telecommun. 4(4), 482–503 (2020)
Hirakawa, T., Ogura, K., Bista, B.B., Takata, T.: A defense method against distributed slow HTTP DoS attack. In: 2016 19th International Conference on Network-Based Information Systems (NBiS), pp. 152–158. IEEE (2016)
Sikora, M., Gerlich, T., Malina, L.: On detection and mitigation of slow rate denial of service attacks. In: 2019 11th International Congress on Ultra-Modern Telecommunications and Control Systems and Workshops (ICUMT), pp. 1–5. IEEE (2019)
Collina, M., Corazza, G.E., Vanelli-Coralli, A.: Introducing the QEST broker: scaling the IoT by bridging MQTT and rest. In: 2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications-(PIMRC), pp. 36–41. IEEE (2012)
Data, A.A.: Access ancillary data. https://manpages.debian.org/bullseye/manpages-dev/cmsg.3.en.html (2022)
Gay, W.: Linux socket programming by example. Que Pub (2000)
OOMD. A new userspace OOM killer, Facebook. https://facebookmicrosites.github.io/oomd (2022)
Channabasappa, S.K.: Performance analysis and control of latency under memory pressure in the Linux kernel for edge computing. PhD Thesis, The University of North Carolina at Charlotte (2019)
Socket. Linux socket interface. https://manpages.debian.org/bullseye/manpages/socket.7.en.html (2022)
Getsockopt, S.: Get and set options on sockets. https://www.freebsd.org/cgi/man.cgi?setsockopt (2022)
Manual, R. R: fitting linear models. https://stat.ethz.ch/R-manual/R-devel/library/stats/html/lm.html (2022)
Johnson, L.W., Riess, R.D.: Numerical Analysis, vol. XI. Addison-Wesley Publishing Company, Reading (1977)
NanoMQ. NanoMQ. https://nanomq.io (2022)
Eclipse. Eclipse Paho python client. https://github.com/eclipse/paho.mqtt.python (2022)
Mosquitto, E.: Eclipse Mosquitto. https://mosquitto.org (2022)
Funding
Not applicable.
Author information
Authors and Affiliations
Contributions
All authors have contributed to this manuscript and approve of this submission. All Authors reviewed the manuscript.
Corresponding author
Ethics declarations
Competing interests
Not applicable.
Ethical Approval
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Liu, Y., Al-Masri, E. Slow Subscribers: a novel IoT-MQTT based denial of service attack. Cluster Comput 26, 3973–3984 (2023). https://doi.org/10.1007/s10586-022-03788-9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-022-03788-9