Port 2420: Westell Remote Access — The ISP's Back Door

What Port 2420 Is

Port 2420 sits in the registered port range (1024–49151). IANA has not assigned it to any official service.¹ On paper, it belongs to no one.

In practice, it belonged to your ISP.

The Westell Connection

Throughout the 2000s, Westell Technologies manufactured DSL modems and broadband gateways that AT&T and other carriers supplied to millions of subscribers. These devices kept UDP port 2420 open on their WAN interface — the side facing the public Internet — for ISP remote management.²

The port served a narrow purpose: letting the ISP's backend systems query the modem for diagnostic information. Firmware versions, serial numbers, transceiver status. The kind of data a carrier needs when a customer calls saying their connection is slow.

The problem was disclosure. Subscribers had no idea this port was open. When security-conscious users started port-scanning their own modems and posting on DSLReports forums, they found 2420 sitting open and reachable from anywhere on the Internet.³

Westell's answer: enable the modem's built-in firewall. When the firewall mode was set to anything above "off," the port went into stealth mode — still technically open, but no longer responding to unsolicited probes.⁴ It wasn't a fix. It was a way to make the port invisible without closing it.

Some users reported they couldn't disable it at all, regardless of firewall settings.⁵

What This Port Range Means

Registered ports (1024–49151) require IANA registration but don't carry the same weight as well-known ports (0–1023), which are reserved for foundational Internet protocols. Many registered ports were claimed years ago by software that no longer exists. Others, like 2420, never made it into the registry at all — they were simply used by vendors who didn't bother registering.

This is normal. The registered range is large enough that gaps and informal uses are common.

What Might Be Listening Today

Port 2420 has no modern widespread use. If you see it open on a system today, the most likely explanations are:

• Legacy Westell DSL equipment still in operation
• A custom application or service configured to use an unassigned port
• Malware (historically documented, though not prevalent)⁶

How to Check What's Listening

Linux / macOS:

sudo ss -tulnp | grep 2420
# or
sudo lsof -i :2420

Windows:

netstat -ano | findstr :2420

The process ID in the output can be matched against Task Manager or tasklist to identify the application.

From outside your network:

nmap -p 2420 <your-ip>