Skip to content
ProtocolPorts

Port reference

Port 2123 (UDP) – GTP-C (GPRS Tunnelling, mobile core)

GTP control-plane signaling between mobile core nodes (SGSN/GGSN, S-GW/P-GW), managing PDP/PDN sessions and bearers.

udpRegisteredCommonly attacked

Default state

Open on mobile core network elements (GGSN/PGW, SGSN/SGW) on operator and roaming (GRX/IPX) interfaces, not on consumer hosts.

Common attacks

  • Subscriber/session spoofing via forged GTP-C messages
  • Session teardown and denial of service against bearers
  • Information disclosure and IMSI/subscriber enumeration
  • Malformed GTP message fuzzing causing node crashes

Hardening

  • Restrict GTP-C to trusted roaming peers via GTP firewall
  • Validate GTP message integrity and enforce sequence/teid checks
  • Separate roaming (GRX/IPX) from internal interfaces
  • Rate-limit and monitor GTP-C signaling for anomalies
  • Patch core network elements against GTP parsing flaws

nmap snippet

nmap -sU -p2123 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 2123?

Port 2123 carries GTP-C, the control plane of the GPRS Tunnelling Protocol, used inside mobile core networks. It signals between nodes such as SGSN/GGSN (3G) and S-GW/P-GW (LTE/EPC) to create, modify, and delete PDP/PDN sessions and bearers for subscribers. User traffic is tunnelled separately via GTP-U on port 2152. This is operator infrastructure, not a consumer-facing service.

Why it matters for security

GTP was designed for trusted operator interconnects and has weak built-in authentication. On roaming interfaces (GRX/IPX), forged GTP-C messages can spoof subscribers, tear down sessions, disclose information, or enumerate IMSIs — the well-documented family of GTP attacks. Malformed messages can also crash core nodes, affecting many subscribers at once.

How it's attacked

Attackers reaching a GTP-C interface send forged control messages to spoof or hijack subscriber sessions, delete sessions for denial of service, and probe for information disclosure. They fuzz malformed GTP packets to crash nodes, often pivoting from a compromised roaming partner.

Hardening checklist

Deploy a GTP firewall and restrict GTP-C to trusted roaming peers. Validate message integrity and enforce sequence/TEID checks to reject spoofed signaling. Separate roaming (GRX/IPX) from internal interfaces, rate-limit and monitor GTP-C for anomalies, and patch core elements against GTP parsing flaws. Use the nmap snippet above only on infrastructure you are authorized to test.

Related ports

Port 2152Port 3386Port 2152

Frequently asked questions

What is GTP-C and where is port 2123 used?
GTP-C is the control plane of the GPRS Tunnelling Protocol, used between mobile core nodes (SGSN/GGSN, S-GW/P-GW) to manage subscriber sessions and bearers. Port 2123 carries GTP-C; user data is tunnelled separately via GTP-U on 2152.
Why is GTP-C a security concern for operators?
GTP was designed for trusted operator interconnects, so forged GTP-C messages can spoof subscribers, tear down sessions, or disclose information. Roaming (GRX/IPX) exposure makes a GTP firewall essential.