Port 3129: The Proxy's Other Door

What Range This Port Belongs To

Port 3129 sits in the registered ports range (1024–49151). These ports require IANA registration but don't carry the same universal recognition as well-known ports below 1024. Most operating systems will use them without requiring administrator privileges, and any application can request them — registered or not.

IANA's official entry for 3129 is NetPort Discovery Port (TCP and UDP).¹ In practice, this service is essentially invisible. No major software ships with it. No RFC defines its behavior. The name exists in the registry, but the registry entry is a tombstone, not a door.

Observed Unofficial Uses

Squid Proxy — SSL Interception

The most common reason to see port 3129 open on a real network is Squid, the widely-used open-source web proxy. Squid's conventional configuration uses port 3128 for HTTP traffic. Port 3129 is where Squid listens for SSL/HTTPS interception — specifically for transparent proxy setups where the goal is to inspect (not just pass) encrypted traffic.²

This is only relevant when SSL inspection is enabled. If you're running Squid without SSL bump, port 3129 stays quiet. Schools, enterprises, and ISPs using deep packet inspection of HTTPS traffic are the typical operators.

Historical Malware

Port 3129 has malware history worth knowing:

• Master's Paradise (1998) — A remote access trojan that opened backdoors on Windows systems. It used a scatter of high-numbered ports including 3129.³
• MyDoom.B@mm — A mass-mailing worm with a backdoor component that security researchers documented using this port.³

Neither threat is current. But their history is why automated scanners still probe 3129 — they're checking for long-dead infections, or looking for misconfigured proxies to abuse.

How to Check What's Listening

If port 3129 appears open on a machine you manage, identifying the process takes one command:

Linux/macOS:

sudo ss -tlnp | grep 3129
# or
sudo lsof -i :3129

Windows:

netstat -ano | findstr :3129
# Then look up the PID:
tasklist | findstr <PID>

If you see Squid, this is expected behavior for an SSL-intercepting proxy. If you see something unfamiliar, investigate before assuming it's benign.

Why Unassigned-in-Practice Ports Matter

The registered port range contains thousands of entries like 3129 — officially named, practically abandoned. This matters for a few reasons:

Security scanning is noisier than it looks. Automated scanners sweep the entire registered range. Every probe on port 3129 you see in your firewall logs isn't targeted — it's a robot checking a list. The SANS Internet Storm Center consistently shows scanning activity on 3129 even though no active exploit uses it today.⁴

Ports find their own uses. Squid's SSL port convention didn't come from IANA. Admins converged on 3129 because it was adjacent to 3128 and empty enough to feel safe. This is how informal port conventions develop — not through standards bodies, but through shared practice.

The registry is a starting point, not a complete map. If you're trying to understand what's running on a machine, the IANA registry will tell you what should be there. Actual network traffic is often a different story.