Skip to content
PortsDB

Port reference

Port 5684 (UDP) – CoAPS (CoAP over DTLS)

Default port for CoAPS, the DTLS-secured variant of CoAP, the lightweight REST-like IoT protocol that runs in plaintext on UDP 5683.

udpRegisteredCommonly attacked

Default state

Reserved for DTLS-secured CoAP. Encryption is in place, but devices may rely on weak pre-shared keys, skip mutual authentication, or also expose plaintext CoAP on 5683.

Common attacks

  • Brute force or reuse of weak DTLS pre-shared keys (PSKs)
  • Fallback to plaintext CoAP on 5683 when both are reachable
  • Exploitation of vulnerable embedded DTLS/CoAP stacks
  • UDP-based DoS and resource exhaustion against constrained devices

Hardening

  • Use CoAPS (DTLS) on 5684 instead of plaintext CoAP on 5683
  • Use strong, unique PSKs or certificate-based DTLS with mutual auth
  • Disable plaintext 5683 so clients cannot fall back
  • Never expose IoT devices directly; keep them on segmented networks
  • Patch device firmware and rate-limit UDP at the gateway

nmap snippet

nmap -sU -p5684 --script coap-resources <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5684?

Port 5684 is the default for CoAPSCoAP secured with DTLS — the encrypted form of the Constrained Application Protocol, a lightweight, REST-like protocol for constrained IoT devices. It runs over UDP like plaintext CoAP on 5683, but wraps requests in DTLS so that data is confidential and endpoints can be authenticated. It mirrors HTTP verbs (GET, POST, PUT, DELETE) in compact binary form.

Why it matters for security

5684 closes the confidentiality and amplification gaps of plaintext CoAP, but DTLS is only as strong as its keys. Devices often rely on weak or shared pre-shared keys (PSKs), skip mutual authentication, or also expose plaintext 5683, letting attackers fall back. Constrained IoT devices also run vulnerable embedded stacks that are targeted directly.

How it's attacked

Attackers attempt to brute-force or reuse weak PSKs to join the DTLS session, and where both are reachable they downgrade to plaintext 5683 to read or change device state. Vulnerable DTLS/CoAP stacks are exploited for crashes or code execution, and UDP-based DoS exhausts the resources of constrained devices.

Hardening checklist

Use CoAPS (DTLS) on 5684 instead of plaintext 5683, with strong, unique PSKs or certificate-based DTLS and mutual authentication. Disable plaintext 5683 so clients cannot fall back. Never expose IoT devices directly and keep them on segmented networks. Patch firmware and rate-limit UDP at the gateway. Use the nmap snippet above to check exposure on devices you are authorized to test.

Related ports

Port 5683Port 8883Port 1883Port 161

Frequently asked questions

How is port 5684 different from 5683?
Port 5684 carries CoAP inside a DTLS tunnel for confidentiality and authentication, while 5683 is the same protocol in plaintext UDP. Use 5684 and disable 5683 where possible.
Does DTLS on 5684 make CoAP fully secure?
Not on its own. DTLS protects traffic, but weak or shared pre-shared keys, missing mutual authentication, and vulnerable embedded stacks still expose devices. Use strong keys or certificates and patch firmware.