Most AT&T U-Verse subscribers receive a 2wire residential gateway for their subscription to Internet, TV, and VoIP phone service. I believe most subscribers get a 3800HGV-B. The user guide for that model does not mention anything about a TCP Port 3479 being opened or used by default. So I found it strange to see TCP port 3479 open when I performed a full TCP port scan from the Internet to my external U-Verse IP:

nmap -sSV -n -P0 -p- “ip”

The results look like this if no other TCP ports are open in the firewall:

135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
3479/tcp  open     unknown
6881/tcp  filtered bittorrent-tracker
An nmap UDP scan also returned two open ports:
nmap -sSV -n -P0 -p- “ip”
50817/udp open  unknown
60062/udp open  ntp     NTP v4
The filtered ports by default make sense as they are used for SMB/CIFS (135-139 & 445). Port 6881 is interesting to see as it is the default port for bittorrent. You can forward any other port to host your torrents, just make sure it matches the client.
What was most interesting of these results is the open TCP port 3479. A little google hacking and I found that port is labeled as 2wire RPC and is registered:

Port 3479 details:

Protocol:TCP & UDP
IAMA status:Official
Range:Registered
Traffic:inbound, outbound, both
Notification:True

Technical description for port 3479:

The 2Wire RPC protocol officially registered to use the communication port 3749 is associated with the Remote Procedure Call (RPC) technology developed by Microsoft. This process allows for the implementation of a communication technique for the efficient exchange of data between a server and client machine. 2Wire is a popular manufacturer of DSL systems and residential gateway provider.
The 2Wire protocol associated with the system port 3749 is described as a modified XML based RPC which allows HomePortal devices to create a communication link with the datacenter. This communication foundation is used for receiving of contents, updates and programming of related devices. This protocol intends to mitigate communication issues that may hamper effective transmission interface.
The products of 2Wire benefiting from this protocol are considered as the first really intelligent, multi-service and customer installable devices of the industry.
The implementation of the protocol related to the port 3749 is widely supported by newer Operating System platforms including communication applications.

Interesting information here. I did a quick scan of other AT&T IPs in the same network and all of them had TCP port 3479 open as well. There is very little information online about this. However I did find someone reporting the following errors on the gateway:

ERR 2004/03/30 07:24:21 CST xmlrpc: error creating connection to ‘rpc.cms.2wire.com:3479’ (216.52.29.106): Connection refused

Although the post is from 2004. I took a look and that IP belongs to 2wire in San Jose.

My next steps will be to attempt to sniff what is coming in to this port. I have a feeling it will be clear text and not use authentication. More to come…

Till next time,

Jorge Orchilles