Port 3407: LDAP Admin — A Name Without a Home

What Port 3407 Is

Port 3407 sits in the registered port range (1024-49151), which means it has a name in the IANA registry. That name is ldap-admin, described as "LDAP admin server port," registered in February 2002 by an engineer at Calient Technologies.¹

That's nearly everything that's definitively known about it.

LDAP (Lightweight Directory Access Protocol) is the protocol that lets networks look up users, computers, and other resources in a directory. It runs on port 389. Its encrypted version runs on port 636. Port 3407 was apparently intended for administrative access to LDAP servers specifically, separate from the main service traffic. But unlike the primary LDAP ports, port 3407 never became standard practice. No major LDAP implementation documents it. No RFC references it. It's a registered port that, in practice, behaves like an unassigned one.

The Registered Port Range

The registered range (1024-49151) is where applications claim territory. Anyone can apply to IANA to have a port registered for their service. Registration doesn't require open-source code, doesn't require the service to be widely deployed, and doesn't prevent other software from using the same port informally.

The result: thousands of registered ports carry names that no longer correspond to anything actively maintained. Port 3407 appears to be one of them.

What Might Actually Be Listening Here

Because port 3407 has no active official service, anything found listening on it is either:

• Custom application traffic - Internal tools, proprietary software, or development servers that chose this port arbitrarily
• Dynamic port assignment - Operating systems assign ephemeral ports for outbound connections, and 3407 can appear in that process
• Malware - Uncommon ports are sometimes used precisely because they're unmonitored

If you see unexpected traffic on port 3407, it's worth investigating.

How to Check What's Listening

On Linux or macOS:

# Show what process is using port 3407
sudo lsof -i :3407

# Or with ss (Linux)
sudo ss -tlnp | grep 3407

On Windows:

# Show active connections and listening ports
netstat -ano | findstr :3407

# Then look up the PID
tasklist | findstr <PID>

With nmap (from another machine):

nmap -sV -p 3407 <target-ip>

The -sV flag asks nmap to probe what's actually running, not just whether the port is open.

Why Unassigned and Obscure Ports Matter

The port number system works because of shared conventions. Port 443 means HTTPS everywhere, because everyone agreed. Port 3407 means almost nothing, which makes it useful for one thing: if your firewall shows unexpected traffic on obscure registered ports, that's signal worth following. Active malware and misconfigured services often hide in the noise of ports that monitoring tools pass over because they have a harmless-sounding name.

An LDAP admin port that no LDAP server actually uses is exactly the kind of cover a process might exploit.