EN
Русский
UDP
Dangerous
File Transfer
Port 69 (TFTP)
Learn about port 69 (TFTP) - security risks, vulnerabilities, and common uses. Find devices with port 69 open.
Quick Info
Port Number
69
Protocol
UDP
Service
TFTP
IANA Name
TFTP
Service Description
UDP port 69 is traditionally used for the Trivial File Transfer Protocol (TFTP). TFTP is a simplified version of the File Transfer Protocol (FTP), designed for transferring files between machines on a local network. It lacks the robust features of FTP, such as authentication, directory listing, and complex negotiation, making it ideal for bootstrapping processes like network booting (PXE) and firmware updates for network devices. TFTP operates using a sequence of UDP packets. The client initiates a connection to the server on port 69, requesting a file transfer. The server then responds with data packets, typically using a newly negotiated port number (typically a random high port) for subsequent communication. This negotiation is crucial for allowing data to flow back to the client through firewalls that might otherwise block unsolicited incoming UDP traffic on high ports.
The protocol supports several modes of transfer, including 'netascii' (for text files), 'octet' (for binary files), and 'mail' (rarely used). Each data packet contains a block number, allowing the client to reassemble the file in the correct order and detect lost packets. TFTP uses a simple error-handling mechanism, sending error packets to indicate problems such as file not found or access denied. The transfer ends when either the entire file has been transferred or an error occurs. Because of its simplicity and lack of security features, TFTP is generally not suitable for use over the public internet or in environments where data confidentiality is important.
## Firewall Recommendations
Generally, TFTP (UDP port 69) should be blocked on firewalls facing the public internet. If TFTP is required for internal network operations (e.g., PXE booting, firmware updates), it should be restricted to a trusted network segment and access should be controlled based on IP address or MAC address. Implement strong access controls on the TFTP server itself to limit which files can be read or written. Consider using more secure alternatives like SFTP or HTTPS for file transfers, especially when dealing with sensitive data. Regularly audit TFTP server configurations and logs to detect suspicious activity. Disable TFTP server functionality when it is not actively being used. Ensure that the TFTP server is running with the least necessary privileges. Consider using a TFTP proxy or gateway to add an extra layer of security and control over TFTP traffic.
The protocol supports several modes of transfer, including 'netascii' (for text files), 'octet' (for binary files), and 'mail' (rarely used). Each data packet contains a block number, allowing the client to reassemble the file in the correct order and detect lost packets. TFTP uses a simple error-handling mechanism, sending error packets to indicate problems such as file not found or access denied. The transfer ends when either the entire file has been transferred or an error occurs. Because of its simplicity and lack of security features, TFTP is generally not suitable for use over the public internet or in environments where data confidentiality is important.
## Firewall Recommendations
Generally, TFTP (UDP port 69) should be blocked on firewalls facing the public internet. If TFTP is required for internal network operations (e.g., PXE booting, firmware updates), it should be restricted to a trusted network segment and access should be controlled based on IP address or MAC address. Implement strong access controls on the TFTP server itself to limit which files can be read or written. Consider using more secure alternatives like SFTP or HTTPS for file transfers, especially when dealing with sensitive data. Regularly audit TFTP server configurations and logs to detect suspicious activity. Disable TFTP server functionality when it is not actively being used. Ensure that the TFTP server is running with the least necessary privileges. Consider using a TFTP proxy or gateway to add an extra layer of security and control over TFTP traffic.
Security Information
TFTP's lack of authentication and encryption makes it a significant security risk if exposed to untrusted networks. An attacker can potentially download sensitive configuration files, firmware images, or even upload malicious software to vulnerable devices. Because TFTP servers often run with elevated privileges, a successful attack could lead to a compromise of the entire system. The absence of access controls by default also allows unauthorized users to read or write any file on the TFTP server's root directory, depending on permissions. Attackers often target TFTP servers to gain initial access to a network, especially in environments where network devices are misconfigured or lack proper security hardening. The protocol's reliance on UDP makes it susceptible to denial-of-service (DoS) attacks, where an attacker floods the server with UDP packets, overwhelming its resources and preventing legitimate clients from accessing it.
Known Vulnerabilities
| CVE | Name | Severity | Description |
|---|---|---|---|
| CVE-2004-0788 | TFTP Server Directory Traversal Vulnerability | High | Directory traversal vulnerability in TFTP servers allows remote attackers to read or write arbitrary files via a .. (dot dot) sequence in a filename. |
| CVE-2008-5628 | TFTP Server Arbitrary File Overwrite | High | TFTP servers can be vulnerable to arbitrary file overwrite if not properly configured, allowing attackers to modify system files. |
| CVE-2013-0156 | Multiple TFTP Servers Denial of Service | Medium | Multiple TFTP servers are susceptible to denial of service attacks due to handling of malformed packets. |
| CVE-2018-14882 | D-Link TFTP Server Directory Traversal | High | Directory traversal vulnerability in the TFTP server on D-Link devices allows remote attackers to read arbitrary files. |
| CVE-2020-11878 | TFTPD32/TFTPD64 Stack-based Buffer Overflow | Critical | A stack-based buffer overflow vulnerability exists in TFTPD32/TFTPD64, allowing remote attackers to execute arbitrary code via a crafted request. |
Malware Associations
- TFTP is often used by malware to download additional components or exfiltrate stolen data. Specific malware families are not uniquely tied to TFTP, but its simplicity and ease of use make it a convenient tool for malicious actors.
- Some botnets utilize TFTP to distribute updates or new payloads to infected machines.
Common Software
- PXE Boot Servers (e.g., Serva32/64)
- Network Device Firmware Update Tools (e.g., Cisco IOS Updaters)
- Embedded Systems Bootloaders
- DHCP Servers (for providing TFTP server information)
- VoIP Phone Configuration Servers
- Network Configuration Management Tools
- Linux Distributions (for network installation)
- SolarWinds TFTP Server
- PumpKIN TFTP Server
- Tftpd32/Tftpd64
Find all devices with port 69 open
ScaniteX scans millions of IPs to find devices with specific ports open. Perfect for security research and network auditing.
Start Mass Scanning