Port 31: MSG Authentication — A Door That Became a Backdoor

Port 31 carries an official IANA assignment: MSG Authentication, designated msg-auth for both TCP and UDP.¹ It was part of a 1970s interprocess communication protocol designed for one of the most ambitious projects on the early ARPANET. Today, no legitimate software uses it. But port 31 has a second life, and it is not a noble one.

What MSG Authentication Was

MSG was the Interprocess Communication Facility for the National Software Works (NSW), a DARPA-funded project that aimed to build a distributed software development environment across the ARPANET.² The idea was radical for its time: let processes running on different computers across the network talk to each other as if they were on the same machine.

The protocol was designed by Robert H. Thomas at Bolt Beranek and Newman (BBN), the same lab that built the first ARPANET routers and employed many of the Internet's founding engineers.³ Thomas is also known for creating the Creeper program in 1971, widely considered the first computer worm.

MSG used three well-known ports:

• Port 27 (nsw-fe): NSW User System Front End
• Port 29 (msg-icp): MSG Initial Connection Protocol
• Port 31 (msg-auth): MSG Authentication

Port 29 handled the handshake. Port 31 handled proving you were who you claimed to be. In a network where authentication was still a novel concept, having a dedicated port just for identity verification was forward-thinking.

The protocol was documented in December 1976 and appeared in RFC 776 (January 1981) as "MSG-3 Authentication."⁴ By RFC 1010 (May 1987), it was listed as "MSG-AUTH."⁵

The NSW project did not survive. The protocol faded. The port assignment remained, a fossil in the IANA registry.

The Backdoor Era

In the late 1990s, port 31 found a new audience: malware authors.

Several remote access trojans (RATs) used port 31 as their default communication channel:⁶

• Agent 31: A straightforward backdoor trojan
• Hackers Paradise: Used ports 31 and 456 to give attackers remote control of compromised Windows machines
• Masters Paradise: Another RAT from the same era
• Agent 40421: Used ports 30 and 31

There is a bitter irony here. A port originally assigned for authentication, for proving identity, for establishing trust between processes, became one of the go-to channels for unauthorized access. The door built for verification became a door for intrusion.

These trojans are relics of an era when most home computers had no firewalls, no NAT, and sat directly on the Internet with every port exposed. An attacker who planted a trojan could connect back to port 31 and find it waiting, listening, open.

Security Considerations

Port 31 should be blocked at the firewall. There is no modern legitimate service that uses it. If you see traffic on port 31, investigate immediately.

To check what is listening on port 31:

# macOS / Linux
sudo lsof -i :31
sudo netstat -tlnp | grep ':31 '

# Windows
netstat -an | findstr ":31 "

Any process listening on port 31 that you did not intentionally configure deserves scrutiny.

The Unassigned Question

Port 31 is technically assigned, not unassigned. But its assigned service has been dead for decades. It occupies an unusual space: a well-known port (in the 0 to 1023 range, which requires root privileges to bind on Unix systems) with no living protocol behind it.

Well-known ports are a finite resource. There are only 1,024 of them. When one is assigned to a protocol that no longer exists, it creates a small vacancy in the system, a reserved seat in a theater where the ticket holder left long ago. The seat stays reserved because changing it could theoretically break something, somewhere, that still expects MSG Authentication on port 31. But nothing does.

These ghost assignments matter because they reveal the Internet's relationship with its own history. The IANA registry does not forget. It does not reclaim. It preserves, even when what it preserves is silence.