Skip to content
ProtocolPorts

Port reference

Port 8388 (TCP) – Shadowsocks proxy

Shadowsocks encrypted proxy server used for censorship circumvention and traffic tunneling.

tcpRegisteredCommonly attacked

Default state

Open on hosts running a Shadowsocks server. Exposed to the internet by design, relying on a pre-shared key for both access control and encryption.

Common attacks

  • Brute force or guessing of weak pre-shared keys
  • Open-proxy abuse once the key is recovered or default
  • Active probing to fingerprint and block Shadowsocks servers
  • Relaying spam, scraping, or attack traffic through the host

Hardening

  • Use a long, random pre-shared key and a modern AEAD cipher
  • Restrict source IPs where possible and rate-limit connections
  • Run the server unprivileged and keep it patched
  • Rotate keys and monitor for unexpected outbound traffic
  • Avoid default ports/keys that scanners check first

nmap snippet

nmap -p8388 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 8388?

Port 8388 is a common default for Shadowsocks, an encrypted proxy widely used for censorship circumvention and traffic tunneling. A client encrypts traffic with a pre-shared key and sends it to the Shadowsocks server on 8388, which decrypts and forwards it to the destination. Unlike a plain SOCKS proxy, the key provides both encryption and access control in one secret.

Why it matters for security

Shadowsocks is internet-facing by design, so its single defense is the pre-shared key. A weak, default, or leaked key collapses both confidentiality and access control: anyone who recovers it can decrypt traffic or relay their own through your server. An exposed 8388 with a poor key effectively becomes an open proxy that launders spam, scraping, and attack traffic behind your IP.

How it's attacked

Attackers scan for Shadowsocks ports and actively probe them to fingerprint the service (and, in some networks, to block it). Where keys are short, default, or reused they attempt brute force or guessing. Once the key is recovered, the server is abused as an open proxy to anonymize malicious traffic.

Hardening checklist

Use a long, random pre-shared key and a modern AEAD cipher rather than a legacy stream cipher. Restrict source IPs where feasible, rate-limit connections, and avoid the obvious default ports and keys that scanners check first. Run the server unprivileged and patched, rotate keys periodically, and monitor for unexpected outbound traffic. Use the nmap snippet above to confirm exposure on hosts you are authorized to test.

Related ports

Port 1080Port 9050Port 1194Port 443

Frequently asked questions

Is Shadowsocks on 8388 encrypted?
Yes. Shadowsocks encrypts traffic with a pre-shared key, ideally a modern AEAD cipher. Security depends on key strength — a weak or guessable key undermines both confidentiality and access control.
Can a Shadowsocks server be abused as an open proxy?
If the key is weak, default, or leaked, anyone who recovers it can route arbitrary traffic through your host, laundering spam or attacks behind your IP. Use a long random key and rotate it.