Port 3428: 2Wire CSS — A Ghost in the Registry

What Port 3428 Is

Port 3428 sits in the registered port range (1024–49151). These are ports that vendors and developers can formally claim through IANA for a specific service — unlike the well-known ports below 1024, which are tightly controlled and assigned to foundational Internet protocols.

IANA's registry lists port 3428 as assigned to 2Wire CSS — the Customer Service Solution built by 2Wire, Inc., a San Jose-based company that made DSL residential gateways from 1998 to 2010.¹

The Company Behind the Port

2Wire shipped more than 20 million DSL gateways to broadband providers including AT&T, BT Group, Telstra, and Telmex.² Their HomePortal devices were the white box sitting next to phone lines in millions of homes.

In 2002, 2Wire built something more interesting than hardware: a remote CPE management platform. That work produced the Open Gateway Management Protocol (OGMP), which 2Wire published and submitted to the DSL Forum. OGMP became the foundation for TR-069 — the WAN management protocol ratified in 2004 that ISPs still use today to remotely configure, update, and troubleshoot routers in customer homes.³

Port 3428 was registered for an earlier piece of that remote management story: the CSS protocol that predated TR-069. Once the industry standardized on TR-069 (which uses port 7547), the older proprietary approach was superseded.

In July 2010, Pace plc acquired 2Wire. Pace was later acquired by ARRIS. The port registration for 3428 outlasted the organization that created it.

What's Listening on This Port Today

Almost certainly nothing intentional. Port 3428 has no active software ecosystem. You won't find it in server configurations, firewall rule templates, or application documentation.

If you see traffic on port 3428, check what's actually running:

# macOS / Linux — show what process is using port 3428
sudo lsof -i :3428

# Linux alternative
sudo ss -tlnp | grep 3428

# Windows
netstat -ano | findstr :3428

Unexpected activity on an obscure registered port can indicate misconfigured software, a port scanner probing your network, or — rarely — malware using an uncommon port to avoid detection. The last one is worth investigating if you see persistent, patterned traffic.

Why Unassigned Ports Matter

The registered port range has 48,128 slots. Not all of them have active protocols. Some were registered by companies that dissolved. Some were assigned for internal tools that never saw wide deployment. Some are genuinely idle, waiting.

This matters for two reasons:

Firewall policy. "Block everything except what's needed" is the correct posture. Unassigned ports with no legitimate use should be closed by default. If something is opening port 3428 on your server, you should know why.

Port scanners love quiet ports. A service hiding on an obscure registered port is less likely to trip a naive firewall rule than one sitting on port 80 or 443. Knowing which ports have legitimate histories — and which don't — helps distinguish noise from signal.

Port 3428 has a legitimate history. It just ended in 2010.