Skip to content
ProtocolPorts

Port reference

Port 3702 (UDP) – WS-Discovery

WS-Discovery — a multicast protocol that locates web-service devices like printers and IP cameras on a local network.

udpRegisteredCommonly attacked

Default state

Open on many printers, IP cameras, NAS, and Windows hosts. Frequently exposed to the internet, where it is abused for DDoS amplification.

Common attacks

  • UDP amplification / reflection DDoS off exposed WSD devices
  • Enumeration of IP cameras, printers, and NAS via probe responses
  • Information disclosure of device type, model, and services
  • Pivoting from discovered devices into the internal network

Hardening

  • Block UDP 3702 at the internet edge — it should never be public
  • Disable WS-Discovery / WSD on devices that do not need it
  • Restrict multicast discovery to trusted local segments
  • Patch printer, camera, and NAS firmware promptly
  • Monitor for spoofed-source probes indicating reflection abuse

nmap snippet

nmap -sU -p3702 --script broadcast-wsdd-discover <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 3702?

Port 3702 carries WS-Discovery (WSD), a multicast protocol that lets web-service devices advertise and discover each other on a local network. Printers, IP cameras, NAS appliances, and Windows hosts use it to be found without manual configuration: a client multicasts a probe and matching devices reply with their type, address, and available services. It is meant to stay on the local link, never on the public internet.

Why it matters for security

WS-Discovery's request/response pattern is a textbook amplification primitive: a tiny spoofed probe triggers a much larger reply, and the protocol's frequent, accidental exposure to the internet has made it a favourite for reflection DDoS that can reach hundreds of gigabits. Even internally, probe responses leak a detailed inventory of devices — model, services, endpoints — that attackers use to find vulnerable cameras and printers to pivot through.

How it's attacked

Attackers scan for internet-facing UDP 3702 and reflect spoofed-source probes off the exposed devices, amplifying traffic onto a victim in a DDoS. They also send legitimate probes to enumerate IP cameras, printers, and NAS, reading device and service details from the responses, then pivot into the network through weak or unpatched device firmware.

Hardening checklist

Block UDP 3702 at the internet edge — it has no business being public. Disable WS-Discovery / WSD on devices that do not need it, and restrict multicast discovery to trusted local segments. Keep printer, camera, and NAS firmware patched, and monitor for spoofed-source probes that signal reflection abuse. The nmap script above discovers WSD devices on networks you are authorised to test. </content>

Related ports

Port 1900Port 5357Port 5355Port 161

Frequently asked questions

What is port 3702 used for?
Port 3702 is WS-Discovery (WSD), a multicast protocol that lets devices such as printers, IP cameras, and NAS advertise themselves and be found automatically on a local network.
Why is WS-Discovery a DDoS risk?
A small spoofed probe makes an exposed WSD device send a much larger reply to the victim. With many internet-facing devices, attackers turn this gap into a high-volume amplification DDoS.