Port 3283: Net Assistant — Apple Remote Desktop's Quiet Back Channel

What This Port Does

Port 3283 belongs to the registered port range (1024–49151) — ports that organizations and vendors can formally claim with IANA for specific services.

This one was claimed by Apple under the name net-assistant, referring to an old network management product that no longer exists. The name stuck in the registry. The port stayed. And Apple eventually repurposed it for something much larger: Apple Remote Desktop.

Apple Remote Desktop

Apple Remote Desktop (ARD) is macOS's built-in system for remote administration of Macs. IT administrators use it to push software, run scripts, observe screens, and gather system reports across a fleet of machines.

Port 3283 handles two distinct jobs depending on the protocol:

• UDP 3283 — Everything live: service discovery, task dispatch, status control between the ARD Administrator app and the client agent (ARDAgent)
• TCP 3283 — File operations and reporting: transferring files, pushing packages, receiving compliance data back to the admin console

The UDP side runs through a component called ARMS — Apple Remote Management Service. ARMS sits and listens, waiting for commands from the ARD Administrator.

By default, this is all disabled. Remote Management has to be explicitly turned on by an administrator under System Preferences > Sharing. The moment it's enabled, UDP 3283 opens to the network.

The Security Problem

Here's where it gets uncomfortable.

When ARMS is listening on UDP 3283, it will respond to any probe — including spoofed ones. Attackers discovered they could send a 32-byte packet to UDP 3283 and receive a 1,034-byte response back. That's a 35.5:1 amplification ratio.

The attack works like this: an attacker spoofs the victim's IP address and sends small packets to every Mac they can find with UDP 3283 open. Each Mac dutifully responds — not to the attacker, but to the victim. Thousands of Macs, each multiplying the traffic by 35x, flood a target they've never heard of.

The FBI issued a warning about this in 2019.¹ NETSCOUT documented it in detail.² UCLA's security team had to publish remediation guidance for their own campus Macs.³

The macOS firewall, notably, did not block this by default even when enabled. Remote Management punched through it.

Checking What's on This Port

To see if anything is listening on 3283 on your Mac:

# Check both TCP and UDP
sudo lsof -i :3283

# Or with netstat
sudo netstat -an | grep 3283

If you see ARDAgent or AppleVNCServer in the output, Remote Management is active.

To disable it: System Settings > General > Sharing > Remote Management (toggle off).

To confirm it's closed from outside your machine:

# From another machine, probe UDP 3283
nc -uvz [target-ip] 3283

Why It Matters

Port 3283 is a small illustration of a common problem: infrastructure outlives its original context.

"Net Assistant" is gone. The port number stayed, got renamed internally, and quietly became the nerve center for managing millions of Macs. Most people who have it open don't know it's open. Most admins who enabled Remote Management years ago never revisited whether it should still be exposed.

Unassigned-looking ports, legacy-named ports, ports nobody thinks about — these are the ones that end up in security advisories.