LOW: Accessible GPRS Tunneling Protocol (GTP) Report

DESCRIPTION LAST UPDATED: 2025-08-20

DEFAULT SECURITY LEVEL: LOW

This report contains information on open General Packet Radio Service (GPRS) Tunneling Protocol (GTP) services: GPRS Tunnelling Protocol (GTP) is a group of IP-based communications protocols used to carry General Packet Radio Service (GPRS) within GSM, UMTS, LTE and 5G NR radio networks.

This includes GTP-C (Core) hosted on port 2123/UDP and GTP-U (User) hosted on port 2152/UDP. For GTP-C we scan for GTP-C-v1 and GTP-C-v2.

While the report does not include specific vulnerabilities detected, it is recommended that ports associated with GTP services are not made publicly accessible. Given the use of UDP for these services, there may also be potential for amplification attacks.

You can track results of our GTP scans on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 version.

Filename(s): scan_gtp

Fields

  • timestamp
    Timestamp the event occured in UTC+0
  • severity
    Severity level
  • ip
    IP of the compromised device
  • protocol
    Protocol (UDP)
  • port
    Port of the service
  • hostname
    Reverse DNS name of the device in question
  • tag
    Additional tag information for example, gtp-c-v2, gtp-c-v1, gtp-u
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname (either from DNS or SSL cert)
  • sector
    Sector to which the device belongs to
  • flags
    Version and protocol type of the message. "0x32" for v1 and "0x40" for v2
  • message_type
    Should always be "0x02" in this case, as we send the request of "0x01"
  • message_type_text
    The "message type" in plain text. Should always be "Echo response" in this case, as we are sending an "Echo request"
  • message_length
    The length of the message (in bytes)
  • teid
    Tunnel Endpoint Identifier. This is only present in gtp-u and gtp-c-v1 response messages
  • sequence
    Sequence number of the messages. Since this is the beginning, it is always set to "0000"
  • recovery
    Counter
  • reponse_size
    The length of the payload in bytes
  • raw_response
    The raw payload as it was received in hex

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","flags","message_type","message_type_text","message_length","teid","sequence","recovery","response_size","raw_response"
"2010-02-10 00:00:00",,192.168.0.1,2152,udp,node01.example.com,gtp-u,64512,ZZ,Region,City,0,,,0x32,0x02,"Echo response",4,00000000,0000,,12,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:01",,192.168.0.2,2152,udp,node02.example.com,gtp-u,64512,ZZ,Region,City,0,,,0x32,0x02,"Echo response",4,00000000,0000,,12,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=
"2010-02-10 00:00:02",,192.168.0.3,2152,udp,node03.example.com,gtp-u,64512,ZZ,Region,City,0,,,0x32,0x02,"Echo response",4,00000000,0000,,12,NzI6QTE6RDU6ODc6QTc6MDM6OEM6NTk6RDc6QUM6Mzc6QTA6NTc6NDM6NTE6MUM6M0Y6Mzc6MjI6NjY6QjA6NzA6NTQ6RUQ6MjY6Q0Q6QzU6OUI6MzY6RkQ6Njk6QTM=

Our 136 Report Types

« Back to Network Reporting