HIGH: Open DVR DHCPDiscover Report

DESCRIPTION LAST UPDATED: 2023-12-11

DEFAULT SEVERITY LEVEL: HIGH

This report identifies devices that have an open DVR DHCPDiscover service on port 37810/UDP. DHCPDiscover is a UDP-based JSON protocol used to help manage networked digital video recorders (DVRs), particularly of the Dahua brand.

This service is actively abused for DDoS amplification attacks, with an amplification factor of around 25. More details can be found in the original research and discovery by Phenomite.

If you are receiving this report, please take steps to filter/block traffic to this service from the Internet.

You can track latest DVR DHCPDiscover scan results on the Shadowserver Dashboard.

For more information on our scanning efforts, check out our Internet scanning summary page.

Severity levels are described here.

This report was enabled as part of the European Union INEA CEF VARIoT project.

Filename: scan_dvr_dhcpdiscover

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the DVR DHCPDiscover response came on (always UDP)
port

Port that the DVR DHCPDiscover response came from (often 37810 even though scan is aimed at 37777).
hostname

Reverse DNS name of the device in question
tag

Set to dvrdhcpdiscover
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
device_vendor

Device vendor identified, if any
device_type

Device type identified, if any
device_model

Device model identified, if any
device_version

Device version identified, if any
device_id

Device id identified, if any
device_serial

Device serial identified, if any
machine_name

Machine name
manufacturer

Manufacturer
method

Request method (client.notifyDevInfo)
http_port

HTTP port of device as reported by the device
internal_port

Port of device used for management (different to the one being scanned for) - as reported by the device
video_input_channels

Video input channel
alarm_input_channels

Alarm input channel
video_output_channels

Video output channel
alarm_output_channels

Alarm output channel
remote_video_input_channels

Remote video input channels
mac_address

MAC address of the device
ipv4_address

IPv4 address of the device (as reported by the device)
ipv4_gateway

IPv4 gateway of the device (as reported by the device)
ipv4_subnet_mask

IPv4 subnet mask of the network of the device (as reported by the device)
ipv4_dhcp_enable

Is IPv4 DHCP enabled
ipv6_address

IPv6 address of the device, if any (as reported by the device)
ipv6_link_local

IPv6 link local address (as reported by the device)
ipv6_gateway

IPv6 gateway of the device (as reported by the device)
ipv6_dhcp_enable

Is IPv6 DHCP enabled
response_size

Response size in bytes
amplification

Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","device_vendor","device_type","device_model","device_version","device_id","device_serial","machine_name","manufacturer","method","http_port","internal_port","video_input_channels","alarm_input_channels","video_output_channels","alarm_output_channels","remote_video_input_channels","mac_address","ipv4_address","ipv4_gateway","ipv4_subnet_mask","ipv4_dhcp_enable","ipv6_address","ipv6_link_local","ipv6_gateway","ipv6_dhcp_enable","response_size","amplification"
"2010-02-10 00:00:00",high,192.168.0.1,udp,37810,node01.example.com,dvrdhcpdiscover,64512,ZZ,Region,City,0,,,General,HCVR,ENM-A04R2,4.001.0000000.16,,8C0C33EPAZ261D5,node01,General,client.notifyDevInfo,80,37777,4,0,0,0,0,e4:24:6c:46:e0:65,192.168.0.1,192.168.0.240,255.255.255.0,1,fd09:4ab5:dae9:b078::1,fe80::e624:6cff:fe46:e065/64,fd09:4ab5:dae9:b078::ff,0,780,780.00
"2010-02-10 00:00:01",high,192.168.0.2,udp,37810,node02.example.com,dvrdhcpdiscover,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",Bydemes,NVR,NVR,3.215.00AI000.0,,DEMES3K042D6PAZ00003,node02,Bydemes,client.notifyDevInfo,8000,37777,0,0,0,0,4,14:a7:8b:de:99:a4,192.168.0.2,192.168.0.240,255.255.255.0,0,fd09:4ab5:dae9:b078::2,fe80::16a7:8bff:fede:99a4/64,fd09:4ab5:dae9:b078::ff,,704,704.00
"2010-02-10 00:00:02",high,192.168.0.3,udp,37810,node03.example.com,dvrdhcpdiscover,64512,ZZ,Region,City,0,,,General,IPC,VSaaS-DHIC-4231EV,2.622.0000002.1.T,,CCTV9192848000106,node03,General,client.notifyDevInfo,80,37777,1,1,0,1,0,14:a7:8b:a8:b2:8b,192.168.0.3,192.168.0.240,255.255.255.0,1,fd09:4ab5:dae9:b078::3,fe80::16a7:8bff:fea8:b28b/64,fd09:4ab5:dae9:b078::ff,0,709,709.00

Our 132 Report Types

« Back to Network Reporting