Accessible CoAP Report

LAST UPDATED: 2022-08-29

This report identifies devices that have an accessible CoAP (Constrained Application Protocol) on port 5683/UDP. CoAP is a specialized web transfer protocol for use with constrained nodes and constrained networks. As described in RFC 7252, it is designed for machine-to-machine (M2M) applications such as smart energy and building automation.

Exposed CoAP services can be used as reflectors in DDoS amplification attacks. They can also leak information (including authentication credentials), and in some cases may potentially allow for remote manipulation of exposed devices and associated services.

For more details behind the scan methodology and a daily update of global CoAP scan statistics please visit our dedicated CoAP scan page.

We first announced the scan in a blog post titled Accessible CoAP Report – Exposed Constrained Application Protocol Services on the Internet.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report was enabled as part of the European Union INEA CEF VARIoT project.


Filename(s): scan_coap

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the CoAP response came on (always UDP)
  • port
    Port that the CoAP response came from (usually 5683)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Set to coap
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • response
    Blob of the decoded CoAP response to the resource discovery probe. This should typically be in the CoRE Link Format as described in RFC6690.
  • response_size
    Response size in bytes
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","sic","response","response_size","amplification"
"2010-02-10 00:00:00",192.168.0.1,udp,5683,node01.example.com,coap,2,64512,ZZ,Region,City,0,0,",,,,,,,,,",113,5.38
"2010-02-10 00:00:01",192.168.0.2,udp,5683,node02.example.com,coap,1,64512,ZZ,Region,City,0,0,"`EsjAy************************************************************|CoAP RFC 7252                                               |************************************************************|This server is using the Eclipse Californium (Cf) CoAP framework|published under EPL+EDL: http://www.eclipse.org/californium/||(c) 2014, 2015, 2016 Institute for Pervasive Computing, ETH Zurich and others|************************************************************",454,113.50
"2010-02-10 00:00:02",192.168.0.3,udp,5683,node03.example.com,coap,1,64512,ZZ,Region,City,0,0,"`EsjAy************************************************************|CoAP RFC 7252                                               |************************************************************|This server is using the Eclipse Californium (Cf) CoAP framework|published under EPL+EDL: http://www.eclipse.org/californium/||(c) 2014, 2015, 2016 Institute for Pervasive Computing, ETH Zurich and others|************************************************************",454,113.50

Our 130 Report Types