DoS Attacks in Available MQTT Implementations (2021)

One hell of a nothingburger. Of course you open yourself up to DoS/magnification attacks if you publicly expose a broker with broadcast/fanout functionality.

For those who read the article but still don&#x27;t know, from wiki pedia:<p>Historically, the &quot;MQ&quot; in &quot;MQTT&quot; came from the IBM MQ (then &#x27;MQSeries&#x27;) product line, where it stands for &quot;Message Queue&quot;. However, the protocol provides publish-and-subscribe messaging (no queues, in spite of the name).[8] In the specification opened by IBM as version 3.1 the protocol was referred to as &quot;MQ Telemetry Transport&quot;.[9][10] Subsequent versions released by OASIS strictly refers to the protocol as just &quot;MQTT&quot;, although the technical committee itself is named &quot;OASIS Message Queuing Telemetry Transport Technical Committee&quot;.[2] Since 2013, &quot;MQTT&quot; does not stand for anything.[11][8]

Regarding MQTT in general - is my reading of the spec correct in that there are actually no message ordering guarantees across different topics ? This would imply that the common HA pattern of a single device publishing&#x2F;receiving commands&#x2F;status on multiple semantically-named topics (eg &#x2F;dev001&#x2F;onoff + &#x2F;dev001&#x2F;color) is actually a subtly incorrect use of the protocol? And the way to maintain ordering with the protocol is to have only a single topic for commands and a single topic for status updates? Because this is what I&#x27;ve concluded, but I&#x27;d love to be wrong!

This seems similar to how wireless APs handle queues when devices are placed into &#x27;power-saving&#x27; mode; and also the ability to fill the queue-stack with bogus frames

If you follow the &quot;Acceptance News: Link&quot; you get to a date:<p>Published: Jun 5, 2021

S in the acronym IoT stands for security