Skip to content
PortsDB

Port reference

Port 5683 (UDP) – CoAP (Constrained Application Protocol)

Lightweight UDP-based REST-like protocol for constrained IoT devices; secure variant CoAPS runs on 5684 with DTLS.

udpRegisteredCommonly attacked

Default state

Open on many IoT devices and gateways, frequently with no authentication. Plain CoAP on 5683 is unencrypted; the secured form (CoAPS) uses DTLS on 5684.

Common attacks

  • UDP reflection/amplification DDoS using CoAP responses
  • Unauthenticated resource enumeration and device control
  • Spoofed requests to read or change sensor/actuator state
  • Exploitation of vulnerable embedded CoAP stacks

Hardening

  • Use CoAPS (DTLS) on 5684 instead of plaintext CoAP on 5683
  • Never expose 5683 directly to the internet; keep IoT on segmented networks
  • Disable multicast discovery and amplifiable responses on public interfaces
  • Require authentication/authorization for sensitive resources
  • Patch device firmware and rate-limit UDP at the gateway

nmap snippet

nmap -sU -p5683 --script coap-resources <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5683?

Port 5683 is CoAP, the Constrained Application Protocol — a lightweight, REST-like protocol designed for constrained IoT devices and low-power networks. It runs over UDP and mirrors HTTP verbs (GET, POST, PUT, DELETE) in a compact binary form. Plain CoAP on 5683 is unencrypted; the secured variant CoAPS uses DTLS on UDP 5684.

Why it matters for security

CoAP often ships with no authentication, so anyone who can reach 5683 may read sensors and control actuators. Because it's connectionless UDP, source addresses can be spoofed — making exposed devices useful as reflectors for amplification DDoS, where a small request yields a larger response aimed at a victim.

How it's attacked

Attackers enumerate exposed devices with coap-resources, discovering endpoints and their data. They issue spoofed requests to read or change device state, and recruit open CoAP nodes into amplification DDoS campaigns. Vulnerable embedded CoAP stacks are also targeted directly for crashes or code execution.

Hardening checklist

Use CoAPS (DTLS) on 5684 instead of plaintext CoAP on 5683. Never expose 5683 directly to the internet and keep IoT devices on segmented networks. Disable multicast discovery and amplifiable responses on public interfaces, and require authentication/authorization for sensitive resources. Patch firmware and rate-limit UDP at the gateway. Use the nmap snippet above to check exposure on devices you are authorized to test.

Related ports

Port 5684Port 1883Port 8883Port 161

Frequently asked questions

Is CoAP on port 5683 encrypted?
No. Plain CoAP on 5683 is unencrypted and typically unauthenticated. The secure variant, CoAPS, runs on UDP 5684 and uses DTLS for confidentiality and authentication.
Why is CoAP a DDoS amplification risk?
CoAP runs over connectionless UDP, so requests can be spoofed and a small query can elicit a larger response. Attackers abuse exposed devices as reflectors to amplify traffic toward a victim.