LAST UPDATED: 2023-03-15
This report identifies accessible WS-Discovery services on port 3702/udp. As described on Wikipedia, Web Services Dynamic Discovery (WS-Discovery) is a technical specification that defines a multicast discovery protocol to locate services on a local network.
The WS-Discovery service is known to be a potential UDP message amplifier that has been abused for reflected DDoS attacks since 2019 (see observations from Akamai and Trend Micro).
As of 2023-03-14 we find 17621 servers on IPv4, with an average amplification factor of 293 and median amplification factor of 305.
How we scan
We scan by sending 5 byte malformed WS-Discovery packet containing a
<:/> payload, as used in the Phenomite research WS-Discovery DDoS amplification.
We do not perform any intrusive checks on a discovered service.
You can track latest WS-Discovery scan results on the Shadowserver Dashboard.
You can also track WS-Discovery DDoS amplification abuse on our Dashboard, as seen by honeypot sensors.
Block port 3702/udp from the public Internet.
For more information on our scanning efforts, check out our Internet scanning summary page.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
This report has an IPv4.