Port 3702: WS-Discovery — How Devices Find Each Other

What Port 3702 Does

When your Windows computer joins a network, it doesn't wait to be introduced. It immediately starts talking — sending multicast UDP packets to 239.255.255.250 on port 3702, asking: "Is anyone out there? What services do you offer?"

This is WS-Discovery: Web Services Dynamic Discovery. It's the protocol that makes printers appear in your network panel without configuration, that lets IP cameras announce themselves to video management software, that allows Windows machines to find each other and share resources automatically. It's the nervous system of local network self-organization.

Port 3702 is officially registered with IANA for this purpose, assigned to Christian Huitema at Microsoft in February 2003.¹

How WS-Discovery Works

The protocol operates over UDP (primarily) and TCP, using SOAP-encoded XML messages. There are two core message types:

Probe — "Is anyone offering this type of service?" Sent as a multicast to all devices on the subnet.

Resolve — "I know a specific device exists. Where is it?" Sent when you have a device identifier but need its current address.

Devices that match respond directly to the requester. The whole exchange happens in milliseconds, invisibly, every time you connect to a network.

WS-Discovery was standardized by OASIS as version 1.1.² Microsoft built it into Windows Vista and made it the foundation of the Function Discovery framework — the mechanism behind the "Network" folder in Windows Explorer.³

Who Uses It

• Windows (Vista and later): Used by WSDMON for automatic printer discovery. Any WSD-enabled printer on the subnet appears automatically.
• ONVIF cameras: The standard for IP camera interoperability uses WS-Discovery for cameras to announce themselves to video management systems.⁴
• Network-attached devices: Printers, scanners, storage devices, and IoT hardware that want to be discoverable without manual configuration.

If you're on a Windows machine right now, Wireshark on any active network interface will almost certainly show WS-Discovery traffic on port 3702 within seconds of connecting.

The Security Problem

WS-Discovery was designed for closed, trusted local networks. It assumes the devices shouting into the multicast void will only be heard by nearby neighbors. That assumption breaks catastrophically when devices are exposed to the Internet.

Because UDP allows source IP spoofing, attackers can send small probe packets to port 3702 on any Internet-exposed WS-Discovery device, forging the source address as their target. The device responds — with a much larger SOAP/XML response — to the victim instead. Researchers measured amplification factors of 75 to 150 times the original request size, achieving up to 15,300% amplification.⁵

In 2019, this was actively exploited in the wild. Akamai documented WS-Discovery DDoS attacks reaching 35 Gbps at peak bandwidth, targeting the gaming industry.⁶

WS-Discovery devices have no business being reachable on the public Internet. If yours are:

• Block UDP port 3702 at your network perimeter
• Disable WS-Discovery on any Internet-facing device
• Patch devices where vendors have pushed WSD hardening

What's Listening on This Port on Your Machine

Linux/macOS:

sudo ss -ulnp | grep 3702
sudo lsof -i UDP:3702

Windows:

netstat -an | findstr 3702
Get-NetUDPEndpoint -LocalPort 3702

On Windows, you'll likely see the service is owned by fdphost (Function Discovery Provider Host). That's normal — it's just your machine doing its job.