Port 3512: Aztec Distribution — A Registered Ghost

What Port 3512 Is

Port 3512 sits in the registered port range (1024–49151). These ports are tracked by the Internet Assigned Numbers Authority (IANA), which maintains a registry mapping port numbers to specific services. ¹

The IANA registry lists port 3512 as assigned to "Aztec Distribution Port", registered in May 2002, on both TCP and UDP. ²

And that is almost everything that can be said about the original intent of this port.

The Ghost Registration

The "Aztec Distribution Port" entry is what you might call a ghost registration: a name in a registry with no living documentation behind it. No RFC was ever published. No software is known to have shipped using it. No user forums, no bug reports, no Stack Overflow questions — nothing that would indicate the service ever existed in the wild.

This happens. In the early 2000s, companies and developers registered ports with IANA for products that were in development, then abandoned them, dissolved the company, or quietly pivoted. The IANA registry doesn't expire registrations, so the ghost persists.

Whoever registered "Aztec Distribution Port" in 2002 either never shipped the product or shipped it so quietly that it left no trace on the Internet.

What Actually Uses Port 3512 Today

The one documented real-world use of port 3512 is Citrix App Layering, which uses it for Hyper-V disk downloads over HTTPS — specifically, transfers between the App Layering appliance and Hyper-V hypervisors during disk provisioning operations. ³

This is a common pattern for orphaned registered ports: the original registrant vanishes, the port sits unclaimed in practice, and some later software quietly adopts it because the range is technically "registered" and less chaotic than using a completely random dynamic port.

If you see traffic on port 3512 in your environment and you run Citrix App Layering with Hyper-V, that's almost certainly what you're looking at.

How to Check What Is Listening on Port 3512

If you see unexpected traffic on this port and aren't running Citrix, check what process has claimed it:

On Linux or macOS:

sudo ss -tlnp | grep 3512
# or
sudo lsof -i :3512

On Windows:

netstat -ano | findstr :3512
# Then look up the PID:
tasklist | findstr <PID>

If something is listening there that you didn't put there, it warrants investigation. Unrecognized services binding to ports — even registered ones — can indicate unauthorized software.

Why Ghost Registrations Matter

The IANA registry exists so that well-known services claim ports reliably and operators know what to expect. When a registration decays — the service dies, no software uses it — the port enters an ambiguous state: technically claimed, practically open.

This creates a small coordination problem. Software authors looking for a free port to register might skip 3512 because it's "taken." Operators writing firewall rules might block it out of caution. The ghost occupies space without doing work.

Port 3512 is a minor example of something the registered port range has many of: names attached to intentions that didn't survive contact with the market. The port outlasted the service it was supposed to carry.