Port 2123: GTP-C — The Control Plane of Mobile Networks

Port 2123 sits in the registered port range (1024–49151) — ports that applications and services can register with IANA for recognized uses. IANA lists 2123 as unassigned. In practice, the mobile networking world claimed it decades ago and never looked back.

What Actually Runs Here

GTP-C — the GPRS Tunnelling Protocol, Control Plane — runs on UDP port 2123. GTP is the protocol backbone of every mobile data network: 2G GPRS, 3G UMTS, 4G LTE, and 5G NR all depend on it.¹

GTP-C handles the signaling layer: negotiating sessions, managing handoffs, adjusting quality of service. When your phone connects to mobile data, a GTP-C message activates a PDP context (3G) or PDN connection (4G). When you move between cell towers without dropping your session, GTP-C coordinates that handoff between the old and new core network nodes.

The companion port, 2152, carries GTP-U — the user plane, meaning your actual data. Port 2123 is the negotiation; 2152 is the payload.²

Who Talks to Port 2123

Inside a mobile carrier's core network, port 2123 carries traffic between:

• SGSNs (Serving GPRS Support Nodes) — handle the radio access side
• GGSNs (Gateway GPRS Support Nodes) — connect the mobile network to the Internet
• MMEs and SGWs in 4G/5G architecture — modern equivalents of the above

These are not consumer-facing nodes. You will never connect to port 2123 from your laptop. But every mobile device that has ever used data has benefited from what happens there.

The Security Problem

GTP was designed in the 1990s for a world where mobile operators trusted each other completely. Networks were closed. The protocol has no built-in authentication between GSN nodes — it trusts any message that arrives claiming to be from a legitimate node.³

That assumption has aged poorly.

When GTP-C endpoints are reachable from the public Internet — which happens more than it should — attackers can inject or replay GTP-C messages to:

• Impersonate a legitimate mobile subscriber
• Steal an existing data session
• Use another subscriber's data allocation
• Redirect traffic for interception

Shadowserver tracks exposed GTP endpoints as an active threat category.⁴ Carriers that expose port 2123 externally are operating on misplaced trust from a different era.

What Range This Port Belongs To

Registered ports (1024–49151) require an application to register with IANA to receive an assignment. The registration establishes a recognized association between a port number and a specific service. Port 2123 is technically unregistered — no formal RFC pointed at it the way RFC 2460 points HTTPS at 443 — but GTP's use of it is documented extensively in 3GPP standards, which govern all mobile network specifications globally.⁵

In practice, "IANA unassigned" and "universally used for GTP-C" coexist without conflict. The mobile industry standardized on 2123 and 2152 through 3GPP processes rather than through IANA, and those two governance bodies operate in parallel.

How to Check What's Listening

# Linux/macOS — check if something is listening on UDP 2123
ss -ulnp | grep 2123

# Or with lsof
lsof -i UDP:2123

# Nmap scan of a remote host (use only on systems you own)
nmap -sU -p 2123 <target>

On a normal workstation or server, nothing should be listening on port 2123. If something is, investigate. On mobile core network equipment, GTP processes are expected.