1. Ports
  2. Port 3390

Port 3390: RDP's Shadow — One Digit from the Most-Scanned Port on the Internet

What Port 3390 Is

Port 3390 is a registered port — meaning it falls in the range managed by IANA (1024–49151), where services can formally stake their claim. Port 3390 never did. No protocol registered here. IANA lists it as unassigned.

In practice, that hasn't stopped it from being used.

What Actually Runs Here

RDP in Disguise

Port 3389 is Remote Desktop Protocol's home. It is also one of the most relentlessly scanned ports on the Internet — bots probe it constantly, looking for weak passwords and unpatched Windows machines. The moment an RDP server appears on 3389, the brute-force attempts begin within minutes.

Administrators noticed. Moving RDP to a non-standard port — 3390 being an obvious candidate given its proximity — reduces automated noise significantly. It's security through obscurity, which is not real security, but it does quiet the logs.

If you see port 3390 open on a Windows machine, there's a reasonable chance someone put RDP there intentionally. 1

Azure Virtual Desktop RDP Shortpath

The more significant use is Microsoft's own. Azure Virtual Desktop uses UDP port 3390 as the default port for RDP Shortpath for managed networks — a UDP-based transport that bypasses the TCP relay path and connects clients directly to session hosts over private networks (VPN, ExpressRoute). 2

When a client connects to an Azure Virtual Desktop session, it attempts two paths simultaneously: the standard TCP connection through the gateway, and a direct UDP connection on port 3390. Whichever establishes first — and performs better — wins. The UDP path, when it works, delivers lower latency and better performance for interactive desktop sessions.

This means port 3390 UDP, on many corporate networks, is now carrying enterprise remote desktop traffic at scale. No IANA registration. Just Microsoft documentation and firewall rules.

What Range This Port Belongs To

Port 3390 is a registered port (1024–49151). Ports in this range:

  • Can be used by any process with normal user privileges (unlike well-known ports below 1024, which require root/administrator)
  • Are managed by IANA, but registration is voluntary — services can and do run on unregistered ports
  • Are not ephemeral (those live above 49151), so traffic here is usually intentional, not transient

How to Check What's Listening

On Linux/macOS:

ss -tlnp | grep 3390
# or
lsof -i :3390

On Windows:

netstat -ano | findstr :3390
# Then check the PID:
Get-Process -Id <PID>

Remotely (check if port is open):

nmap -p 3390 <host>

Security Note

If you find port 3390 open and weren't expecting it:

  • On a Windows machine: it's almost certainly RDP, moved there by an administrator or, more concerning, by an attacker who installed RDP and tried to hide it
  • On an Azure Virtual Desktop environment: it's likely the RDP Shortpath listener — expected and intentional
  • On anything else: investigate before assuming

The proximity to 3389 means scanners increasingly probe 3390 as well. Moving RDP here buys less cover than it used to.

ئالدىنقى

Port 3388: Unassigned — Living Next Door to RDP

كېيىنكى

Port 3391: Unassigned — Microsoft's Unofficial RDP Shortcut

بۇ بەت پايدىلىق بولدىمۇ؟

😔
🤨
😃