Port 247: SUBNTBCST_TFTP — The Broadcast That Doesn't Drown

What This Port Does

Port 247 is assigned to SUBNTBCST_TFTP (Subnet Broadcast TFTP), a specialized variant of the Trivial File Transfer Protocol designed for network booting.¹ When the TFTP server sends boot code to clients, it uses subnet-directed broadcast datagrams on port 247, allowing multiple systems to receive the same data simultaneously.²

The problem it solves: when dozens or hundreds of diskless workstations power on at the same time, each requesting boot code individually creates a broadcast storm that can overwhelm the network. SUBNTBCST_TFTP lets the server broadcast once to the entire subnet instead of unicasting to each machine separately.

How It Works

Traditional TFTP (port 69) is unicast—one sender, one receiver. When a diskless workstation boots, it requests its operating system image, and the server sends it directly to that machine. Multiply that by 200 machines booting at 6 AM and you have a problem.

Port 247 changes the model. Clients that request the subnet broadcast option listen on port 247 for broadcast datagrams. The server sends boot code to the subnet-directed broadcast address, and all requesting clients receive it simultaneously.² It's one transmission serving many receivers—multicast's simpler cousin, bound to a single subnet.

The History

Port 247 was assigned to address the specific pain point of large-scale network booting, particularly for environments with many diskless workstations—common in universities, corporate environments, and server farms in the 1980s and 1990s. The concept builds on RFC 906 (Bootstrap Loading using TFTP), published in June 1984, which established TFTP as the standard protocol for bootstrap loading.³

The original service name "SUBNTBCST_TFTP" used an underscore, which proved problematic—many service discovery mechanisms couldn't handle underscores in service names. IANA assigned the replacement name "subntbcst-tftp" with a hyphen, making it compatible with modern systems.⁴ Even the infrastructure of the Internet needs bug fixes.

The Genuine Strangeness

Port 247 represents a solution to a problem that was once urgent and is now mostly forgotten. Diskless workstations—machines that boot entirely from the network with no local storage—were common when hard drives were expensive. Today they're rare outside specialized environments (thin clients, network appliances, some embedded systems).

The protocol exists in that liminal space between obsolete and essential. Most networks will never use port 247. But in the environments that need it—booting hundreds of point-of-sale terminals, provisioning server clusters, managing network appliances—it remains the elegant solution to a brutal problem.

The naming bug is also telling. The original assignment used "SUBNTBCST_TFTP" with an underscore, which broke compatibility with service discovery tools. The fix was simple: use a hyphen instead. But you can't just change an IANA assignment—"subntbcst_tftp" remains in the registry as a historical alias pointing to the corrected "subntbcst-tftp."⁴ The Internet's nervous system carries its own revision history.

Related Protocols

Port 247 exists alongside TFTP's broader ecosystem:

• Port 69: Standard TFTP—unicast file transfer, the foundation
• RFC 2090: TFTP Multicast Option—a more sophisticated solution for large-scale deployments⁵
• RFC 906: Bootstrap loading using TFTP—the document that established TFTP for network booting³
• PXE (Preboot Execution Environment): Modern network booting uses DHCP and TFTP together, though typically not the broadcast variant on port 247

Security Considerations

Port 247 inherits TFTP's security weaknesses. TFTP has no authentication, no encryption, no integrity checking. Data broadcast on port 247 is visible to every machine on the subnet.

For boot code, this is often acceptable—the boot image is the same for every machine and doesn't contain secrets. But if port 247 traffic contains configuration files with credentials, those credentials are broadcast in plaintext to the entire subnet.

There have been historical reports of malware using port 247,⁶ though the port's primary association remains its legitimate subnet broadcast TFTP purpose. As with any well-known port, unexpected traffic warrants investigation.

Checking What's Listening

To see if anything is listening on port 247:

Linux/Mac:

sudo lsof -i :247
sudo netstat -tulpn | grep :247

Windows:

netstat -ano | findstr :247

Finding port 247 in use likely means you're running specialized network booting infrastructure or thin client management systems. If you're not, investigate.

Why This Matters

Port 247 represents the Internet's solution to a scaling problem: how do you boot hundreds of identical machines without drowning in your own network traffic? The answer is broadcast—send once, receive many.

It's infrastructure from an era when diskless workstations filled computer labs and corporate offices. That era has mostly passed. But the port remains, assigned, documented, ready for the environments that still need it.

The corrected service name is a reminder that even the most fundamental infrastructure carries its history, its mistakes, its corrections. "subntbcst-tftp" works because "SUBNTBCST_TFTP" didn't. The Internet's memory is long and nothing is ever truly deleted.