Port 873: rsync — The Difference Engine

Port 873 carries rsync traffic. Every time a Linux distribution updates its mirrors, every time a backup runs that takes seconds instead of hours, every time a gigabyte file syncs by transferring only kilobytes, that is port 873 doing the work it was designed to do: asking what you already have, then sending only what you need.

The Protocol

rsync is a file synchronization protocol that transfers only the differences between files, not the files themselves. When you run rsync to update a remote copy of a large file, the protocol does not blindly copy bytes. Instead, it engages in a conversation:

1. The receiver divides its existing file into fixed-size blocks
2. For each block, it computes two checksums: a fast "rolling" checksum and a strong cryptographic hash
3. It sends this list of checksums to the sender
4. The sender scans its version of the file, looking for blocks that match any checksum in the list
5. For matching blocks, it sends a reference: "you already have this"
6. For non-matching data, it sends the raw bytes

This is delta encoding at the protocol level. A 1 GB file with 5 MB of changes transfers 5 MB of data, not 1 GB.¹

The Rolling Checksum

The algorithm's elegance lives in its rolling checksum, based on Mark Adler's adler-32 (the same checksum used in zlib).² The mathematical property that makes it special: given the checksum for bytes at positions 1 through N, you can compute the checksum for positions 2 through N+1 in constant time. Add one byte, subtract one byte, done.

This means rsync can slide a window across an entire file, one byte at a time, checking every possible block alignment against the receiver's checksum list. If someone inserted a single line at the beginning of a million-line file, rsync finds all the original blocks at their new offsets and transfers only that one new line.³

The Story

In 1996, Andrew Tridgell was a PhD student at the Australian National University. He was working on file synchronization across slow network links, the kind of links where transferring a whole file felt like punishment.⁴

The existing tool was rcp, the Unix remote copy command. rcp did exactly what its name suggested: it copied files. All of them. Every byte. If you had a 100 MB file and changed one character, rcp would dutifully transfer all 100 MB again.⁵

Tridgell, working with Paul Mackerras, invented the rsync algorithm and announced the first release on June 19, 1996.⁶ The core insight was that the receiving machine already possessed information, old versions of the files. Instead of ignoring that information, use it. Have the receiver tell you what it knows, then send only what it does not.

His 1999 PhD thesis, "Efficient Algorithms for Sorting and Synchronization," formalized the work.⁷ The same mind that created rsync also created Samba, the software that lets Unix systems speak to Windows file shares. In 2006, the Free Software Foundation gave Tridgell its Award for the Advancement of Free Software. In 2020, Australia awarded him the Medal of the Order of Australia.⁸

How It Works in Practice

rsync operates in two modes. Over SSH, it tunnels through port 22, inheriting SSH's encryption and authentication. In daemon mode, it listens directly on port 873, speaking native rsync protocol.

Daemon mode exists for public mirrors. When the Fedora Project, openSUSE, or Gentoo need to replicate repositories across hundreds of mirror servers worldwide, they run rsync daemons. Anonymous access, no authentication required, just pull what you need.⁹

This is how open source software propagates across the Internet. A package maintainer pushes an update. The master mirror accepts it. Within hours, rsync daemons worldwide have synchronized, transferring only the changed packages, not the entire repository.

Security

rsync daemon mode, by default, allows anonymous access with no encryption. This is intentional for public mirrors but dangerous for private data.¹⁰

In January 2025, security researchers disclosed six vulnerabilities in rsync, including a critical heap buffer overflow (CVE-2024-12084, CVSS 9.8) that allows remote code execution.¹¹ Shodan scans found over 660,000 rsync servers exposed to the Internet. More than 500,000 were in China.¹²

The combination of two vulnerabilities is particularly severe: the heap overflow and an information leak (CVE-2024-12085) together allow an attacker with anonymous read access to execute arbitrary code on the server. For public mirrors offering anonymous access, this meant immediate risk until patching to version 3.4.0.¹³

Historical vulnerabilities include certificate validation bypasses (allowing man-in-the-middle attacks on rsync-ssl), argument sanitization failures, and off-by-one errors in directory handling.¹⁴

If you run an rsync daemon:

• Update to version 3.4.0 or later
• Block port 873 at your firewall unless you specifically need external access
• Consider running rsync over SSH instead of daemon mode for private data
• If you must run a public daemon, ensure it offers only read access to public data

The Specification

rsync has no traditional RFC defining its wire protocol. The algorithm itself was published in a 1996 technical report, "The rsync algorithm," by Tridgell and Mackerras.¹⁵

RFC 5781, published in 2010, defines only the rsync URI scheme (rsync://host/path).¹⁶ It standardizes how to express rsync locations but does not specify the protocol itself. The protocol remains defined by its implementation, maintained by Wayne Davison as of 2023.¹⁷

IANA assigned port 873 to rsync as a system port (0-1023), registered on a first-come, first-served basis.¹⁸

What Flows Through Port 873

Every major Linux distribution maintains rsync mirrors. Arch, Debian, Fedora, Gentoo, openSUSE, Ubuntu, and hundreds of others use rsync to propagate packages worldwide.¹⁹

Backup tools build on rsync's foundation. Timeshift uses it for system snapshots. LuckyBackup wraps it in a GUI. duplicity and rdiff-backup use librsync, a library implementing the same algorithm.²⁰

When a system administrator types rsync -avz /data/ backup@server:/backups/, they invoke decades of algorithmic refinement. The -z flag compresses the delta. The -a flag preserves permissions, timestamps, and ownership. The whole operation transfers only what changed since last time.

Related Ports