1. Ports
  2. Port 2602

Port 2602: ripd VTY — The Routing Daemon's Back Door

Port 2602 lives in the registered port range (1024–49151), where IANA keeps a reservation for a service called discp-server. The assignee is listed as Peter White. The acronym "discp" is never expanded anywhere in the registry. No RFC. No documentation. No record of anything ever actually using it. The registration is a ghost.

What actually uses port 2602 is something entirely different.

The Quagga Connection

Quagga is an open-source routing software suite for Linux, descended from the Zebra project. It implements routing protocols — RIP, OSPF, BGP — as separate daemons that run alongside a core zebra process. Each daemon gets its own management interface: a VTY, or virtual terminal, accessible over TCP.

ripd, the Routing Information Protocol daemon, listens on port 2602 for VTY connections.1 You connect with telnet, authenticate (or not, depending on configuration), and get a Cisco-IOS-style CLI for managing RIP routes.

telnet localhost 2602

This is a management interface — not the protocol itself. RIP routes travel over UDP port 520. Port 2602 is the door you use to look inside and configure the daemon.

Why It Shows Up on Your Router

Quagga ships inside a surprising number of network devices: ASUS routers running custom firmware, Zyxel appliances, various Linux-based network gear. When the ripd daemon is enabled, port 2602 opens. Often silently. Often facing the wrong direction.

In 2008, a vulnerability in Zyxel's ZyWALL appliances exploited default credentials on the Quagga VTY interfaces to achieve remote code execution.2 The root cause was port 2602 (and its neighbors 2601, 2604) exposed without adequate authentication.

The Neighborhood

Quagga assigns each daemon a sequential port:

PortDaemonProtocol
2601zebraCore routing abstraction
2602ripdRIP (Routing Information Protocol)
2603ripngdRIPng (RIP for IPv6)
2604ospfdOSPF
2605bgpdBGP
2606ospf6dOSPFv3

If you see port 2602 open, check the neighbors.

Check What's Listening

# Linux
ss -tlnp | grep 2602
lsof -i :2602

# macOS
lsof -i :2602

# Network scan (scan your own devices only)
nmap -p 2602 192.168.1.1

If ripd is running and you have access, the VTY itself will tell you:

telnet 192.168.1.1 2602
# Ripd VTY interface — show ip rip, show version, etc.

Should This Port Be Open?

On a server or workstation: almost certainly not. Close it.

On a router running Quagga: it should be firewalled from external access. VTY interfaces are for local management, not the WAN. If you see port 2602 reachable from the Internet on a consumer router, that router's configuration is wrong.

Why Unassigned-but-Used Ports Matter

Port 2602 illustrates a common pattern: IANA registers a name that disappears, while an informal community convention quietly takes the number and makes it real. The Quagga port assignments were never formally registered — they live in /etc/services on Linux systems because the Quagga project put them there, and distributions kept them.

The formal registry and operational reality don't always match. When you're diagnosing a firewall rule or investigating unexpected traffic, knowing both is useful.

Précédent

Port 2601: Zebra VTY — the router's back door

Suivant

Port 2603: Service Meter (IANA) / RIPng Daemon VTY (Quagga)

Cette page vous a-t-elle été utile ?

😔
🤨
😃