Port 133: Statsrv — The Statistician That Never Arrived

Port 133 is assigned to statsrv, the Statistics Service. Both TCP and UDP. It was registered by Dave Mills, the same person who created the Network Time Protocol on port 123. The service was never formally specified in its own RFC. No protocol document exists. No implementation became standard. Port 133 is a claimed seat in the Internet's numbering system, reserved by one of the most important network engineers who ever lived, for a service that never materialized into a specification.

What Statsrv Was Supposed to Be

The assignment appears in RFC 1060¹ (March 1990) and RFC 1340² (July 1992), both "Assigned Numbers" documents that cataloged the growing Internet's port allocations. The entry is terse:

statsrv    133/tcp    Statistics Service
statsrv    133/udp    Statistics Service

The contact listed is [DLM1], Dave Mills at the University of Delaware.

To understand what this service was likely intended to do, you need to understand who Dave Mills was and what he was building at the time. In the late 1970s and 1980s, Mills was running Fuzzball routers, DEC LSI-11 minicomputers reprogrammed to serve as packet switches for the early Internet.³ Six Fuzzballs formed the backbone of the first NSFNET in 1986.⁴

The Fuzzballs were not just routers. They were measurement platforms. Mills used them as traffic generators, statistics collectors, and data reducers. They measured path delays across the ARPANET, collected performance metrics, and helped Mills understand how the network actually behaved under load.⁵ The Statistics Service on port 133 almost certainly grew out of this work: a way to query a machine for its network statistics, its view of the topology, its measurements of the world around it.

But unlike NTP on port 123, which Mills shepherded through four major versions and 28 RFCs, the Statistics Service never got its own protocol specification. It remained an entry in the registry and, presumably, something that ran on Mills' own Fuzzballs and nowhere else.

The Man Behind the Port

David Lennox Mills (1938-2024) was one of the foundational engineers of the Internet.⁶ Born in Oakland, California, he had glaucoma from birth. A surgeon saved some vision in his left eye when he was a child. He attended a school for the visually impaired.

He went on to:

• Create the Network Time Protocol (NTP), which synchronizes clocks on billions of devices worldwide
• Invent the Fuzzball router, the first modern software router, which outperformed BBN's original IMP routers by over 10x
• Chair the Gateway Algorithms and Data Structures Task Force (GADS), the precursor to the IETF
• Write 28 RFCs and two Internet Standards
• Coin the backronym for ping: "Packet InterNet Groper"

Mills was inducted as a Fellow of the ACM (1999) and IEEE (2002), elected to the National Academy of Engineering (2008), and received the IEEE Internet Award (2013). He was actively working on the next generation of NTP at the time of his death in January 2024, at age 85.⁷

Port 133 is a footnote in the career of someone whose other work keeps the Internet synchronized to within milliseconds of Coordinated Universal Time. It tells you something about the scale of Mills' ambition: he wasn't just building time synchronization. He was building a complete measurement infrastructure for a network that barely existed yet.

Security

Port 133 has no legitimate modern service running on it. If you see traffic on port 133, be suspicious.

The port is associated with Backdoor.Win32.Farnaz, a Windows Remote Access Trojan (RAT) that operates as a hidden Telnet server.⁸ It listens on TCP port 133 and gives an attacker full access to disk files and system resources on the compromised machine. The choice of port 133 is deliberate: attackers prefer ports with assigned-but-unused services because they're less likely to trigger monitoring rules that watch high-profile ports like 22, 80, or 443.

If port 133 is open on your system and you're not running statsrv (you're not), something is wrong.

How to Check What's Listening on Port 133

Linux/macOS:

sudo lsof -i :133
sudo netstat -tlnp | grep :133
ss -tlnp | grep :133

Windows:

netstat -aon | findstr :133

If any process is listening on this port, investigate immediately. Identify the process ID and verify it against known software on your system.

The Well-Known Port Range

Port 133 sits in the well-known port range (0-1023), also called system ports.⁹ On Unix-like systems, binding to a port in this range requires superuser privileges. These ports are assigned through IETF Review or IESG Approval processes, making each assignment an act of the Internet's governance system.

The well-known range was designed for protocols that everyone would need to find at a predictable address. HTTP lives at 80. HTTPS at 443. DNS at 53. NTP at 123. These are the Internet's fixed addresses, the doors that every client knows to knock on.

Port 133 was given one of these precious low-numbered addresses. That it went unused speaks to how uncertain the early Internet was. Not every idea became a standard. Not every reserved port found its purpose.

Neighbors

Port 133 sits in interesting company: