MEDIUM: Accessible CoAP Report

DESCRIPTION LAST UPDATED: 2023-12-08

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies devices that have an accessible CoAP (Constrained Application Protocol) on port 5683/UDP. CoAP is a specialized web transfer protocol for use with constrained nodes and constrained networks. As described in RFC 7252, it is designed for machine-to-machine (M2M) applications such as smart energy and building automation.

Exposed CoAP services can be used as reflectors in DDoS amplification attacks. They can also leak information (including authentication credentials), and in some cases may potentially allow for remote manipulation of exposed devices and associated services.

For more details behind the scan methodology and a daily update of global CoAP scan statistics please visit our dedicated CoAP scan page.

We first announced the scan in a blog post titled Accessible CoAP Report – Exposed Constrained Application Protocol Services on the Internet.

For more information on our scanning efforts, check out our Internet scanning summary page.

Severity levels are described here.

This report was enabled as part of the European Union INEA CEF VARIoT project.

Filename(s): scan_coap

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the CoAP response came on (always UDP)
port

Port that the CoAP response came from (usually 5683)
hostname

Reverse DNS name of the device in question
tag

Set to coap
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
response

Blob of the decoded CoAP response to the resource discovery probe. This should typically be in the CoRE Link Format as described in RFC6690.
response_size

Response size in bytes
amplification

Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
sector

Sector the device belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","response","response_size","amplification","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,5683,node01.example.com,coap;iot,2,64512,ZZ,Region,City,0,,";title=\"\"QLINK-FIND Resource\"",";title=\"\"QLINK-NETINFO Resource\"\"\"",104,4.95
"2010-02-10 00:00:01",medium,192.168.0.2,udp,5683,node02.example.com,coap;iot,2,64512,ZZ,Region,City,0,ptr,";title=\"\"General Info\"\";ct=0,;title=qlink/searchfh,;title=qlink/searchgw,;title=qlink/request,;title=qlink/success,;title=device/inform/bootstrap,;title=device/inform/boot,;title=device/inform/syncreq,;title=device/inform/offline,;title=device/inform/heartbeat,;title=device/inform/data,;ct=0",516,24.57,
"2010-02-10 00:00:02",medium,192.168.0.3,udp,5683,node03.example.com,coap;iot,2,64512,ZZ,Region,City,0,ptr,";title=\"\"General Info\"\";ct=0,;title=qlink/searchfh,;title=qlink/searchgw,;title=qlink/request,;title=qlink/success,;title=device/inform/bootstrap,;title=device/inform/boot,;title=device/inform/syncreq,;title=device/inform/offline,;title=device/inform/heartbeat,;title=device/inform/data,;ct=0",516,24.57,

Our 135 Report Types

« Back to Network Reporting