Port 515: LPD — The Ghost in the Printer

Port 515 carries the Line Printer Daemon (LPD) protocol. Every network print job that flows through this port is completely unencrypted, unauthenticated, and visible to anyone watching the network. This is by design. It's been this way since 1983.

What LPD Does

LPD is a printing protocol that allows computers to send print jobs to network printers. The client side (LPR - Line Printer Remote) submits jobs. The server side (LPD - Line Printer Daemon) receives them, queues them, and sends them to the physical printer.

A print job consists of two parts: the data file (what you actually want printed) and the control file (instructions about how to print it). The LPD daemon listening on port 515 receives both, spools them to disk, and manages the queue.¹

The protocol is simple. Too simple. There's no encryption. No authentication. No job prioritization. No detailed status reporting. Just: here's a file, please print it.

The Berkeley Story

Ralph Campbell created LPD at the Computer Systems Research Group at UC Berkeley in 1983 as part of 4.2BSD.² The problem was straightforward: multiple people needed to use the same printer. Before LPD, you had to physically be at the printer or write custom software for every printer model.

LPD introduced the idea of a print daemon - a background process that would accept jobs from anywhere on the network, queue them, and feed them to the printer one at a time. The innovation wasn't the printing. It was the spooling and the network transparency.

By the late 1980s, every Unix system shipped with LPD. When RFC 1179 was published in 1990, it wasn't proposing a new standard - it was documenting what already existed.³

How It Works

RFC 1179 specifies that LPD servers listen on TCP port 515. Here's the genuinely strange part: the RFC explicitly requires that all client connections must originate from source ports 721-731.⁴ This was meant to be a security feature - only root could bind to low-numbered ports on Unix systems, so if you're connecting from ports 721-731, you must be root, therefore you're trusted.

This is not security. This is security theater from 1983.

When you print something, the LPR client opens a connection to port 515, sends the control file first, then sends the data file. The daemon acknowledges each transmission with a single zero byte. That's the entire protocol.

Security Reality

Port 515 is a pentester's playground.

No authentication. Anyone who can reach port 515 can submit print jobs, delete queued jobs, or query the print queue. The source port restriction (721-731) is trivially bypassed on any modern operating system.

No encryption. Every print job crosses the network in plaintext. If you're printing tax documents, medical records, or source code, anyone with access to the network can read them.⁵

Denial of service. Flood the queue with fake jobs. Send malformed jobs that crash the daemon. Submit enormous files that fill the disk. All of these work.

Buffer overflows. Older LPD implementations have had numerous buffer overflow vulnerabilities. CVE-2025-21224 is a recent remote code execution vulnerability in Windows LPD that allows attackers to execute arbitrary code.⁶

Format string attacks. When LPD logs errors, it often logs user-supplied data without sanitizing it first. This enables format string exploits that can lead to code execution.⁷

The protocol was designed in an era when "the network" meant "trusted colleagues in the same building." That era ended decades ago.

Why It Still Exists

Here's the honest strangeness: LPD should be extinct. Internet Printing Protocol (IPP) replaced it in the late 1990s. IPP has authentication. Encryption. Modern features. It's built on HTTP and designed for the Internet age.

Yet port 515 is still open on thousands of office printers right now. Not because it's good. Because it works. Because some ancient Unix server still sends jobs to it. Because the printer vendor enabled it by default and nobody bothered to turn it off.

LPD is a ghost protocol - officially dead, still haunting production networks.

Related Ports

• Port 631 (IPP): The modern replacement for LPD, built on HTTP with encryption and authentication
• Port 9100 (RAW/JetDirect): HP's direct printing protocol, even simpler than LPD but equally insecure
• Port 445 (SMB): Windows printer sharing, common in modern office environments