

MQTT DoS — Mosquitto Broker Attack
MQTT (Message Queuing Telemetry Transport) is the dominant messaging protocol for IoT deployments — used in industrial control systems, smart buildings, medical devices, and consumer IoT. Mosquitto is the most widely deployed open-source MQTT broker. This project, completed for CY5150 Network Security Practices at Northeastern University, designed and executed a real Denial-of-Service attack against a live Mosquitto instance running on a Raspberry Pi 4, measuring the attack's impact across CPU, RAM, and network utilization, and recording the full outage timeline.
The attack used three distinct Python-scripted attack vectors operating concurrently — each exploiting a different aspect of MQTT's protocol design and Mosquitto's resource management. The combined effect was a complete broker outage lasting approximately 49 minutes, with measurable resource exhaustion at every layer.
Technologies & Tools
- - Python 3 (attack scripts)
- - Paho MQTT client library
- - Mosquitto MQTT broker
- - Raspberry Pi 4 (target)
- - Wireshark / tcpdump (traffic measurement)
- - htop / free (resource monitoring)
- - CY5150 Network Security Practices — Northeastern University

Course
CY5150 Network Security Practices
Instructor
Prof. Kevin Amorin
Target
Mosquitto broker on Raspberry Pi 4
RAM impact
600MB → 8GB
Traffic impact
<1 → 600–700 Mbit/s
Outage duration
~49 minutes
Attack Vectors
Vector 1 — Retained message flood: MQTT's retained message feature allows a broker to store the last message on a topic and deliver it to new subscribers. The attack script published high-volume retained messages across a large topic namespace, forcing the broker to hold all messages in memory. Because retained messages persist until explicitly cleared, the broker's heap grew continuously — driving RAM consumption from a baseline of 600MB to 8GB until the system OOM-killed the broker process.
Vector 2 — Wildcard topic storm: MQTT supports hierarchical topic wildcards (# and +). The attack script opened a large number of simultaneous subscriptions using broad wildcard patterns, then flooded publications matching those wildcards. Every published message had to be fanned out to all matching subscriber sessions — creating a multiplicative routing burden that saturated the broker's dispatch loop and drove network traffic from under 1 Mbit/s to 600–700 Mbit/s.
Vector 3 — Session exhaustion: MQTT persistent sessions survive disconnection — the broker retains queued messages for clients that reconnect. The attack script opened thousands of persistent sessions without consuming their queued messages, then disconnected without sending DISCONNECT packets. Each ghost session consumed broker state, queued message storage, and reconnection handling capacity — gradually exhausting Mosquitto's session management resources.
Combined effect: The three vectors operating concurrently overloaded the broker at the memory, CPU, and network layers simultaneously. Legitimate clients began experiencing connection timeouts within minutes; the broker was fully unresponsive to new connections within the first outage window. Full recovery required a broker restart and session store flush.

Protocol
MQTT v3.1.1
Mitigations studied
Rate limiting, topic ACLs, session limits
Findings & Mitigations
The attack demonstrated that default Mosquitto configurations are highly vulnerable to resource exhaustion attacks — none of the three vectors required authentication or exploited a CVE. They abuse legitimate protocol features that are simply unconstrained by default.
Mitigations: Retained message limits (max_queued_messages, message_size_limit), wildcard subscription depth restrictions and per-client rate limiting, persistent session expiry enforcement (session_expiry_interval in MQTT v5), and connection rate limiting at the broker and network layer. Network segmentation and broker-level authentication are baseline requirements that eliminate the unauthenticated attack surface entirely.
This research directly informs IoT security work at NUIoTConnect — understanding the attack surface of commodity MQTT deployments is foundational for securing the IoT environments that NUIoTConnect's members work with.
