MEDIUM: Open TFTP Report

DESCRIPTION LAST UPDATED: 2024-01-01

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have the TFTP service running and accessible on the Internet.

Our probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. Note, we are not testing to see if file upload is enabled.

Also note that unlike other UDP services that we test for, the response from TFTP is often received on a port that is different than what was queried! Probes sent to a host on port 69/UDP may generate responses that source from ephemeral high ports.

You can track TFTP scan results on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_tftp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the TFTP response came on (always UDP)
  • port
    Port that the TFTP response came from (usually 69/UDP, but the response may come on any port >1024/UDP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be TFTP
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • opcode
    This will be either a "3" or a "5" — a "3" means that the file requested exists (in this case "a.pdf") and a "5" means that the TFTP server returned an error code
  • errorcode
    This is the error code that is returned along with the opcode per RFC1350/RFC2347
  • error
    Human readable version of the error code — in the case of an opcode 3 response, this is "No Error"
  • errormessage
    The actual error message that the TFTP server returned in addition to the errorcode — in the case of an opcode 3 response, this is "File Exists"
  • response_size
    Payload response size in bytes — it is really only relevant in opcode 3 responses; if the file is actually there, the response will be >4 bytes
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","opcode","errorcode","error","errormessage","response_size","amplification","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,34634,node01.example.com,tftp,64512,ZZ,Region,City,0,ptr,5,0,"Not defined","No such file or directory",30,2.14,
"2010-02-10 00:00:01",medium,192.168.0.2,udp,69,node02.example.com,tftp,64512,ZZ,Region,City,0,ptr,5,1,"File not found","No such file",17,1.21,"Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",medium,192.168.0.3,udp,36224,node03.example.com,tftp,64512,ZZ,Region,City,0,ptr,5,0,"Not defined","Get not supported",22,1.57,

Our 132 Report Types