Port 1918: can-nds — IBM Tivoli's quiet corner

What Port 1918 Is

Port 1918 sits in the registered port range (1024–49151). These ports are not claimed by the operating system the way well-known ports (0–1023) are, and they're not randomly assigned at connection time the way ephemeral ports are. They're in the middle: formally registered with IANA, reserved for a specific application or service.

Port 1918's registration: can-nds — the Candle Network Directory Service, later absorbed into IBM Tivoli Directory Service.

The "can" prefix stands for Candle Corporation, an IBM software company that built enterprise monitoring and directory tools. IBM acquired Candle in 2004 and folded its products into the Tivoli suite.¹ The company is gone. The port assignment stayed.

What Runs Here

IBM Tivoli Directory Service used port 1918 for NDS (Network Directory Service) communications. This is enterprise infrastructure — LDAP-adjacent directory services for large organizations managing user accounts, permissions, and identity across mainframes and distributed systems.

If you encounter port 1918 open on a machine today, it's almost certainly:

• Legacy IBM Tivoli infrastructure — older enterprise environments that haven't migrated
• Something unrelated — an application that chose this port for its own reasons, unaware of or indifferent to the registration

There are no known malware families specifically targeting or impersonating port 1918.²

Checking What's on This Port

If you see port 1918 active on a system you manage:

Linux/macOS:

sudo ss -tlnp | grep 1918
# or
sudo lsof -i :1918

Windows:

netstat -aon | findstr :1918

Then take the process ID from the output and look it up:

# Linux
ps aux | grep <PID>

# Windows
tasklist | findstr <PID>

Why Unassigned-ish Ports Matter

Port 1918 isn't truly unassigned — it has an IANA registration. But in practice, it might as well be. Candle Corporation no longer exists. IBM Tivoli Directory Service has evolved significantly. The port is registered, but the software that claimed it is largely a historical artifact.

This happens constantly in the registered port range. Organizations and products stake out port numbers, ship their software, and then get acquired, pivot, or shut down. The ports remain registered in perpetuity. IANA's registry is littered with them — tombstones for companies and protocols that no longer exist.

It's why firewall rules deserve review. A port "registered to IBM Tivoli" on your network might be IBM Tivoli, or it might be something that picked an obscure registered port precisely because no one would question it.