Port 2070: ah-esp-encap — Registered, mostly quiet, occasionally exploited

What Port 2070 Is

Port 2070 is a registered port — it sits in the range from 1024 to 49151, the middle band of the port numbering system where IANA tracks assigned services without the strict gatekeeping applied to well-known ports below 1024.

IANA officially registered port 2070 for ah-esp-encap: the encapsulation of IPsec's Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols inside UDP packets. This is a legitimate function in IPsec VPN setups, useful for punching through NAT routers that can't otherwise handle raw IPsec traffic.

In practice, you are unlikely to find ah-esp-encap on port 2070 in the wild. Modern IPsec NAT traversal typically uses port 4500, which is where the actual RFC 3948 standard landed.¹ Port 2070's registration exists in the IANA registry, but the traffic mostly doesn't.

What Actually Runs Here

If you find port 2070 open on a Windows machine, it's more likely to be Lexmark Services Monitor (LSM) — a background service that ships with older Lexmark printer software to monitor printer status on the local network.

LSM ran an HTTP server on TCP port 2070. In 2019, a researcher discovered that this HTTP server was vulnerable to directory traversal: an attacker on the network could craft requests like GET /../../../../../../windows/system32/config/SAM and read arbitrary files off the host machine.² No authentication required. Any file the Windows service account could read, the attacker could read.

Lexmark's response: the software was end-of-life, no patch would be issued, users should migrate to their replacement product. The vulnerability is CVE-2019-16758. The port is still listening on machines where LSM was never removed.³

What Port Numbers in This Range Mean

Registered ports (1024–49151) are documented with IANA but not enforced. Any application can bind to port 2070 — the registration is advisory, not restrictive. This is how LSM ended up here: it needed a port, picked one, and nobody stopped it.

This is normal. Thousands of registered ports have their official IANA service and a completely different population of software actually using them in practice. The registry describes intent; packet captures describe reality.

How to Check What's Listening on Port 2070

On Linux or macOS:

ss -tlnp | grep 2070
# or
lsof -i :2070

On Windows:

netstat -ano | findstr :2070

If something is listening, the PID in the output will tell you what process owns it. On Windows, that PID can be matched in Task Manager or with:

tasklist /fi "pid eq <PID>"

If you're running old Lexmark printer software and see port 2070 open, remove LSM or block the port at the firewall. There is no patch.

Why Unassigned Space Matters

Most registered ports are quiet most of the time. The 2070–2999 range is sparsely populated with active services. This quiet space serves a function: when developers need a port for a new application, there's room to register something without colliding with everything else. It also means that when a port in this range shows up in a scan, it's worth investigating — something specific put it there.