Skip to main content
SpringerLink
Log in

Slow Subscribers: a novel IoT-MQTT based denial of service attack

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

MQTT, a popular IoT messaging protocol, is frequently associated with numerous vulnerabilities, the majority of which are critical. Many IoT devices that utilize MQTT are susceptible to cyberattacks such as denial-of-service and buffer overflow. In this paper, we unveil a novel Denial of Service (DoS) attack in the MQTT protocol, referred to as Slow Subscribers, which has the potential to cause MQTT brokers to become single points of failure. Unlike existing MQTT DoS attacks, Slow Subscribers can occur on a single compromised node and could potentially disrupt a MQTT broker with minimal subscription permissions. We evaluated the reliability of Mosquitto and NanoMQ, two popular MQTT messaging brokers, to determine the effect of Slow Subscribers. According to the findings of our investigation, NanoMQ outperforms Mosquitto in response to the Slow Subscribers attack at QoS level 0. We also determine that the response to Slow Subscribers at QoS 2 is the worst for both broker implementations. In addition, the results of our experiments indicate that Eclipse Mosquitto achieves a higher rate of reliability than NanoMQ on cloud deployments whereas NanoMQ has proven to be well-suited for edge environments, especially edge IoT devices that require the use of QoS levels 0 and 1. Finally, we propose a Resilient Middleware for Message Queue Telemetry Transport (Remistry) framework that is capable of detecting misconfigurations while providing granular support of resource commitment errors, in particular the out-of-memory (OOM) problems for effectively mitigating the impact of Slow Subscribers attacks on MQTT brokers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Data availability

All of the data used in this study is (or will be made) publicly available (if accepted). The dataset for Slow Subscribers used and assessed during the current study is available on GitHub.com.

Abbreviations

M2M:

Machine-to-Machine

MOM:

Message-oriented middleware

MQTT:

Message Queuing Telemetry Transport

IoT:

Internet of Things

IIoT:

Industrial Internet of Things

SCADA:

Supervisory Control and Data Acquisition

DoS:

Denial of service

TCP:

Transmission Control Protocol

OOM:

Out-of-memory

IPC:

Inter-Process Communication

QoS:

Quality of service

References

  1. Albano, M., Ferreira, L.L., Pinho, L.M., Alkhawaja, A.R.: Message-oriented middleware for smart grids. Comput. Stand. Interfaces 38, 133–143 (2015)

    Article  Google Scholar 

  2. Hunkeler, U., Truong, H.L., Stanford-Clark, A.: MQTT-S—a publish/subscribe protocol for wireless sensor networks. In: 2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE’08), pp. 791–798. IEEE (2008)

  3. Singh, M., Rajan, M., Shivraj, V., Balamuralidhar, P.: Secure MQTT for internet of things (IoT). In: 2015 Fifth International Conference on Communication Systems and Network Technologies, pp .746–751. IEEE (2015)

  4. Al-Masri, E., Kalyanam, K.R., Batts, J., Kim, J., Singh, S., Vo, T., Yan, C.: Investigating messaging protocols for the internet of things (IoT). IEEE Access 8(94), 880–911 (2020)

    Google Scholar 

  5. Eclipse Foundation. IoT edge developer survey report. https://iot.eclipse.org/community/resources/iot-surveys/ (2022)

  6. IIoTWorld. Survey results: MQTT widely used in IIoT. https://www.iiot-world.com/industrial-iot/connected-industry/survey-results-mqtt-widely-used-in-iiot (2022)

  7. Liu, Y., Al-Masri, E.: Evaluating the reliability of MQTT with comparative analysis. In: 2021 IEEE 4th International Conference on Knowledge Innovation and Invention (ICKII), pp. 24–29. IEEE (2021)

  8. OASIS. MQTT specification. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=mqtt (2022)

  9. Open, O.: MQTT version 3.1.1, OASIS standard. https://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html (2022)

  10. Yokotani, T., Sasaki, Y.: Comparison with HTTP and MQTT on required network resources for IoT. In: 2016 International Conference on Control, Electronics, Renewable Energy and Communications (ICCEREC), pp. 1–6. IEEE (2016)

  11. Internet of Things Research Group (INTRES), MQTT dataset. https://github.com/uwtintres/MQTT-Dataset (2022)

  12. Jutadhamakorn, P., Pillavas, T., Visoottiviseth, V., Takano, R., Haga, J., Kobayashi, D.: A scalable and low-cost MQTT broker clustering system. In: 2017 2nd International Conference on Information Technology (INCIT), pp. 1–5. IEEE (2017)

  13. Pipatsakulroj, W., Visoottiviseth, V., Takano, R.: MUMQ: a lightweight and scalable <QTT broker. In: 2017 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN), pp. 1–6. IEEE (2017)

  14. Sen, S., Balasubramanian, A.: A highly resilient and scalable broker architecture for IoT applications. In: 2018 10th International Conference on Communication Systems & Networks (COMSNETS), pp. 336–341. IEEE (2018)

  15. Wang, J., Jiang, P., Bigham, J., Chew, B., Novkovic, M., Dattani, I.: Adding resilience to message oriented middleware. In: Proceedings of the 2nd International Workshop on Software Engineering for Resilient Systems, pp 89–94. (2010)

  16. Narkhede, N., Shapira, G., Palino, T.: Kafka: The Definitive Guide. O'Reilly Media, Inc. (2017)

  17. Yongguo, J., Qiang, L., Changshuai, Q., Jian, S., Qianqian, L.: Message-oriented middleware: a review. In: 2019 5th International Conference on Big Data Computing and Communications (BIGCOM), pp. 88–97. IEEE (2019)

  18. Savola, R.M., Abie, H., Bigham, J., Rotondi, D.: Innovations and advances in adaptive secure message oriented middleware. In: 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops, pp. 288–289. IEEE (2010)

  19. Luzuriaga, J.E., Cano, J.C., Calafate, C., Manzoni, P., Perez, M., Boronat, P.: Handling mobility in IoT applications using the MQTT protocol. In: 2015 Internet Technologies and Applications (ITA), pp. 245–250. IEEE (2015)

  20. Mehta, A., Gustafson, J.: Transactions in apache Kafka. https://www.confluent.io/blog/transactions-apache-kafka (2022)

  21. NGINX. Tuning NGINX for performance, NGINX. HTTP load balancer. https://www.nginx.com/blog/tuning-nginx (2022)

  22. Liu, X., Pan, L., Wang, C.J., Xie, J.Y.: A lock-free solution for load balancing in multi-core environment. In: 2011 3rd International Workshop on Intelligent Systems and Applications, pp. 1–4. IEEE (2011)

  23. Vaccari, I., Aiello, M., Cambiaso, E.: SlowITe, a novel denial of service attack affecting MQTT. Sensors 20(10), 2932 (2020)

    Article  Google Scholar 

  24. Vaccari, I., Aiello, M., Cambiaso, E.: SlowTT: a slow denial of service against IoT networks. Information 11(9), 452 (2020)

    Article  Google Scholar 

  25. Syed, N.F., Baig, Z., Ibrahim, A., Valli, C.: Denial of service attack detection through machine learning for the IoT. J. Inf. Telecommun. 4(4), 482–503 (2020)

    Google Scholar 

  26. Hirakawa, T., Ogura, K., Bista, B.B., Takata, T.: A defense method against distributed slow HTTP DoS attack. In: 2016 19th International Conference on Network-Based Information Systems (NBiS), pp. 152–158. IEEE (2016)

  27. Sikora, M., Gerlich, T., Malina, L.: On detection and mitigation of slow rate denial of service attacks. In: 2019 11th International Congress on Ultra-Modern Telecommunications and Control Systems and Workshops (ICUMT), pp. 1–5. IEEE (2019)

  28. Collina, M., Corazza, G.E., Vanelli-Coralli, A.: Introducing the QEST broker: scaling the IoT by bridging MQTT and rest. In: 2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications-(PIMRC), pp. 36–41. IEEE (2012)

  29. Data, A.A.: Access ancillary data. https://manpages.debian.org/bullseye/manpages-dev/cmsg.3.en.html (2022)

  30. Gay, W.: Linux socket programming by example. Que Pub (2000)

  31. OOMD. A new userspace OOM killer, Facebook. https://facebookmicrosites.github.io/oomd (2022)

  32. Channabasappa, S.K.: Performance analysis and control of latency under memory pressure in the Linux kernel for edge computing. PhD Thesis, The University of North Carolina at Charlotte (2019)

  33. Socket. Linux socket interface. https://manpages.debian.org/bullseye/manpages/socket.7.en.html (2022)

  34. Getsockopt, S.: Get and set options on sockets. https://www.freebsd.org/cgi/man.cgi?setsockopt (2022)

  35. Manual, R. R: fitting linear models. https://stat.ethz.ch/R-manual/R-devel/library/stats/html/lm.html (2022)

  36. Johnson, L.W., Riess, R.D.: Numerical Analysis, vol. XI. Addison-Wesley Publishing Company, Reading (1977)

  37. NanoMQ. NanoMQ. https://nanomq.io (2022)

  38. Eclipse. Eclipse Paho python client. https://github.com/eclipse/paho.mqtt.python (2022)

  39. Mosquitto, E.: Eclipse Mosquitto. https://mosquitto.org (2022)

Download references

Funding

Not applicable.

Author information

Authors and Affiliations

  1. School of Engineering and Technology, University of Washington, Tacoma, USA

    Yifeng Liu & Eyhab Al-Masri

Authors
  1. Yifeng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eyhab Al-Masri
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

All authors have contributed to this manuscript and approve of this submission. All Authors reviewed the manuscript.

Corresponding author

Correspondence to Eyhab Al-Masri.

Ethics declarations

Competing interests

Not applicable.

Ethical Approval

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, Y., Al-Masri, E. Slow Subscribers: a novel IoT-MQTT based denial of service attack. Cluster Comput 26, 3973–3984 (2023). https://doi.org/10.1007/s10586-022-03788-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-022-03788-9

Keywords

Search

Navigation