Port 3387: Back Room Net — The Port with a Ghost Tenant and a Squatter

What Port 3387 Is

Port 3387 sits in the registered port range (1024–49151). These ports are tracked by IANA, the body that assigns meaning to port numbers. Registered ports aren't locked down like the well-known ports below 1024, but they have official tenants — services that claimed the number and got it written into the registry.

Port 3387's official tenant is something called Back Room Net (backroomnet). What Back Room Net was, who built it, and why they needed a registered port are questions the Internet cannot answer. The registration exists. The service, apparently, does not.

The Actual Occupant: Windows RDP

While Back Room Net vanished, Windows moved in.

Microsoft's Remote Desktop Services uses port 3387 as part of its cluster of RDP-adjacent ports, alongside the well-known port 3389 and its sibling 3392. Specifically, port 3387 appears as a URL namespace reservation for RDP WebSocket connections — the mechanism that allows Remote Desktop to tunnel over HTTP.¹

On Windows systems with Remote Desktop Session Host enabled, you may see the event:

http://+:3387/rdp was successfully added

This is not a threat or an error. Windows is quietly reserving the port for potential RDP traffic.² Most administrators never configured this consciously. Windows did it automatically during Remote Desktop feature setup.

The Security Reality

Any port associated with RDP is a target. Attackers know that Windows machines cluster Remote Desktop activity around 3389, 3387, and 3392 — and they scan for all three.³ If your server is reachable from the Internet and Remote Desktop Services is running, port 3387 is part of your attack surface whether or not you knew it was open.

If you don't need Remote Desktop access from the Internet:

• Block 3387 at the firewall
• Disable Remote Desktop Session Host in Server Manager if it's not needed
• If you need RDP, restrict it to a VPN or specific IP ranges

How to Check What's Listening

On Windows:

netstat -ano | findstr :3387

The process ID in the last column maps to a running service. Cross-reference it:

tasklist | findstr <PID>

On Linux/macOS:

ss -tlnp | grep 3387
# or
lsof -i :3387

If nothing is listening, the port is closed. If svchost.exe shows up on Windows, that's Remote Desktop Services — expected if you have RDP features enabled.

Why Unassigned (and Abandoned) Ports Matter

The registered port range has thousands of entries. Many, like Back Room Net, are ghosts — registered by companies or individuals who never shipped a product, or shipped one that died. The registration persists in the IANA database indefinitely.

This creates a low-grade chaos: software (like Windows) starts using ports informally, without IANA registration for the new use. The official record says one thing. The real world does another. Administrators trying to understand their firewall logs get confused.

Port 3387 is a small example of how the port numbering system works in practice: official registrations decay, real software fills the gap, and the gap between the map and the territory quietly grows.