Port 1117: ARDUS Multicast Transfer — The ghost in the registry

Port 1117 is officially registered with IANA for ARDUS Multicast Transfer (service name: ardus-mtrns), operating on both TCP and UDP.¹² Despite this official registration, ARDUS remains one of the most obscure protocols in the Internet's port registry—a ghost that claimed port numbers but left almost no trace of what it actually did.

What ARDUS Was Supposed to Be

ARDUS (ARDUS Multicast Transfer) appears to have been designed as a multicast file transfer system—a way to efficiently send data to multiple recipients simultaneously rather than making separate connections to each one.³

The protocol was ambitious enough to claim not one but three official port numbers from IANA:

• Port 1117 (TCP/UDP): ARDUS Multicast Transfer (ardus-mtrns)
• Port 1834 (TCP/UDP): ARDUS Unicast (ardusuni)
• Port 1835 (TCP/UDP): ARDUS Multicast (ardusmul)⁴

Having three registered ports suggests ARDUS was meant to be substantial infrastructure. Someone believed this protocol would matter. Someone filed the paperwork with IANA. Someone got approval.

And then—nothing.

The Mystery

Here's what's strange: there's no public documentation about who created ARDUS. No RFCs. No technical specifications. No company claiming credit. No open-source implementation. No commercial product.

The IANA registry contains the port assignments but not the history. Search the web and you'll find port databases dutifully listing ardus-mtrns on port 1117, but none of them know what it is. They're just copying from IANA's registry, repeating a name that's lost its meaning.⁵

This is unusual. Most registered protocols leave some trace—a draft RFC, a mailing list discussion, a defunct company website, something. ARDUS left port numbers and a description so brief it could fit in a tweet.

Why Multicast Transfer Mattered

To understand what ARDUS might have been trying to solve, you need to understand the problem of multicast file distribution.

Imagine you need to send the same 10GB file to 1,000 machines. You could:

• Unicast (one-to-one): Make 1,000 separate connections. Send 10TB total. Brutal on bandwidth.
• Multicast (one-to-many): Send the data once. Routers duplicate it to subscribers. Send 10GB total. Elegant and efficient.

Multicast protocols like UFTP (UDP-based FTP with multicast) solve this problem today. They're used for software distribution, live video streaming, and network-wide updates.⁶ Perhaps ARDUS was an early attempt at the same thing—someone trying to build multicast file transfer before the problem was well understood.

Or perhaps it was proprietary infrastructure for a specific network that never needed to be public. Some protocols are registered defensively—claim the port numbers, keep the implementation private.

We don't know. The protocol didn't leave enough evidence to say.

What Actually Uses Port 1117 Today

In practice: probably nothing.

Security researchers at SANS monitor attack activity across all port numbers. Port 1117 shows up in their databases, but with negligible traffic—mostly port scans that probe every port systematically rather than targeted attacks on ARDUS specifically.⁷

If you see port 1117 open on a system, it's far more likely to be:

• A misconfigured service binding to the wrong port
• Custom software that happens to use 1117
• A port scanner probing for anything listening

Actual ARDUS Multicast Transfer? Vanishingly unlikely.

Checking What's Actually Listening

If you want to check what's using port 1117 on your system:

On Linux/Mac:

sudo lsof -i :1117
# or
sudo netstat -tulpn | grep 1117

On Windows:

netstat -ano | findstr :1117

If something is listening, it's worth investigating. It's probably not ARDUS—but whatever it is, you should know about it.

The Registered Port Range

Port 1117 falls in the registered ports range (1024–49151). This range is maintained by IANA for services that apply for official assignment. Unlike well-known ports (0–1023) which require root privileges, registered ports can be used by regular applications.

Getting a port registered with IANA requires:

1. Submitting an application describing the service
2. Demonstrating that the port assignment is needed
3. IANA approval

Someone went through this process for ARDUS. Three times. For ports 1117, 1834, and 1835.

And then the protocol vanished.

Why Obscure Ports Matter

ARDUS is a reminder that port numbers are archaeology. The registry preserves assignments long after the protocols die. These ghost registrations serve a purpose: they prevent port number conflicts. If someone builds a new service and randomly picks port 1117, they might collide with dormant ARDUS infrastructure somewhere.

The registry says: "This number is taken. Pick another one."

Even if nobody remembers why.