Skip to content
PortsDB

Port reference

Port 20000 (TCP) – DNP3

Distributed Network Protocol 3 — polls and commands RTUs and IEDs in electric, water, and utility SCADA.

tcpRegisteredCommonly attacked

Default state

Open on DNP3 outstations (RTUs/IEDs) and masters in utility SCADA, with no authentication on the base protocol.

Common attacks

  • Unauthenticated reads of points and unauthorized control commands
  • Outstation enumeration and address discovery via dnp3-info
  • Spoofing/replay of DNP3 application messages
  • Denial of service against RTUs and IEDs

Hardening

  • Never expose port 20000 to the internet — isolate DNP3 on an OT network
  • Segment with firewalls/DMZ and allowlist authorized masters
  • Enable DNP3 Secure Authentication (IEEE 1815) where supported
  • Monitor with an ICS IDS for unexpected control function codes

nmap snippet

nmap -p20000 --script dnp3-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 20000?

Port 20000 carries DNP3 (Distributed Network Protocol 3), the SCADA protocol that dominates electric, water, and wastewater utilities in North America. A master polls outstationsRTUs and IEDs — to read analog and binary points, receive event data, and send control commands such as operating breakers or pumps. It runs over TCP as well as serial links.

Why it matters for security

Like Modbus and IEC-104, the base DNP3 protocol was built for trusted links and provides no authentication or encryption. Any host that reaches port 20000 can read the process state and issue control commands to field equipment, directly affecting utility operations. Because outstations sit at substations and remote sites, an exposed DNP3 endpoint is a critical-infrastructure risk on par with IEC-104.

How it's attacked

Attackers discover outstations with the nmap dnp3-info script or Shodan, enumerating DNP3 addresses and device details. With no authentication they read points to map the system and inject control commands, or replay and spoof application messages. Flooding an RTU yields a denial of service that disrupts monitoring.

Hardening checklist

Never expose port 20000 to the internet — keep DNP3 on an isolated OT network behind firewalls and a DMZ, and allowlist only authorized masters. Where devices support it, enable DNP3 Secure Authentication (IEEE 1815), and wrap WAN links in VPN/IPsec. Deploy an ICS IDS to alert on unexpected control function codes. Use the nmap snippet above only on systems you are authorized to test.

Related ports

Port 102Port 502Port 2404Port 44818

Frequently asked questions

Does DNP3 have authentication?
The base DNP3 protocol has no authentication, so any host reaching port 20000 can read points and issue control commands. IEEE 1815 adds optional Secure Authentication, but many deployments do not enable it.
How is DNP3 different from Modbus?
Both are SCADA protocols with no inherent security, but DNP3 is richer — it supports timestamps, event buffering, and unsolicited reporting — and dominates electric and water utilities, whereas Modbus is common in general industry.