COAP stress test

Bounces spoofed CoAP requests off exposed IoT and constrained devices so a small query returns oversized responses at your own endpoint, validating how well your edge absorbs reflected UDP volume.

Run COAP test → All methods

up to 50x

amplification factor

How it works

CoAP runs over UDP on port 5683, and many internet-facing IoT and constrained devices answer discovery requests with responses far larger than the query. By spoofing the source address to your test target, the reflected responses converge on your infrastructure, multiplying the attacker's effort into a much larger inbound flood. This vector tests whether your edge can soak up reflected UDP from a wide spread of source addresses and whether anti-spoofing and per-source controls hold under load.

Parameters

pps600k ppsRequest rate driven toward the reflector pool

duration10-600 sLength of the sustained reflection run

reflectors100-5k hostsBreadth of the exposed-device source pool

amp_factor10x-50xResponse-to-request size ratio under test

Run it from the CLI

retro-cli

$ retro run coap --target 203.0.113.45 --duration 120

COAP FAQ

Is COAP testing legal?+

Only against infrastructure you own or are authorized to test. RETRO//STRESS requires authorized targets.

What does COAP stress?+

Bounces spoofed CoAP requests off exposed IoT and constrained devices so a small query returns oversized responses at your own endpoint, validating how well your edge absorbs reflected UDP volume.

Can I combine it with other methods?+

Yes, add it as a step in a packet chain to sequence it with other protocols.