MEDIUM: Accessible CoAP Report

DESCRIPTION LAST UPDATED: 2023-12-08

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies devices that have an accessible CoAP (Constrained Application Protocol) on port 5683/UDP. CoAP is a specialized web transfer protocol for use with constrained nodes and constrained networks. As described in RFC 7252, it is designed for machine-to-machine (M2M) applications such as smart energy and building automation.

Exposed CoAP services can be used as reflectors in DDoS amplification attacks. They can also leak information (including authentication credentials), and in some cases may potentially allow for remote manipulation of exposed devices and associated services.

For more details behind the scan methodology and a daily update of global CoAP scan statistics please visit our dedicated CoAP scan page.

We first announced the scan in a blog post titled Accessible CoAP Report – Exposed Constrained Application Protocol Services on the Internet.

For more information on our scanning efforts, check out our Internet scanning summary page.

Severity levels are described here.

This report was enabled as part of the European Union INEA CEF VARIoT project.


Filename(s): scan_coap

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the CoAP response came on (always UDP)
  • port
    Port that the CoAP response came from (usually 5683)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Set to coap
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • response
    Blob of the decoded CoAP response to the resource discovery probe. This should typically be in the CoRE Link Format as described in RFC6690.
  • response_size
    Response size in bytes
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • sector
    Sector the device belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","response","response_size","amplification","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,5683,node01.example.com,coap;iot,2,64512,ZZ,Region,City,0,,";title=\"\"QLINK-FIND Resource\"",";title=\"\"QLINK-NETINFO Resource\"\"\"",104,4.95
"2010-02-10 00:00:01",medium,192.168.0.2,udp,5683,node02.example.com,coap;iot,2,64512,ZZ,Region,City,0,ptr,";title=\"\"General Info\"\";ct=0,;title=qlink/searchfh,;title=qlink/searchgw,;title=qlink/request,;title=qlink/success,;title=device/inform/bootstrap,;title=device/inform/boot,;title=device/inform/syncreq,;title=device/inform/offline,;title=device/inform/heartbeat,;title=device/inform/data,;ct=0",516,24.57,
"2010-02-10 00:00:02",medium,192.168.0.3,udp,5683,node03.example.com,coap;iot,2,64512,ZZ,Region,City,0,ptr,";title=\"\"General Info\"\";ct=0,;title=qlink/searchfh,;title=qlink/searchgw,;title=qlink/request,;title=qlink/success,;title=device/inform/bootstrap,;title=device/inform/boot,;title=device/inform/syncreq,;title=device/inform/offline,;title=device/inform/heartbeat,;title=device/inform/data,;ct=0",516,24.57,

Our 125 Report Types