TCP and UDP ports

TCP and UDP ports are a software abstraction in order to be able to differentiate between parallel communication connections of one or more applications. Similar to how IP addresses are used to address computers in networks, ports address specific applications and their connections that run on a computer.

Data packets that reach their destination via IP are put together by TCP and passed on to an application. Since several applications can establish TCP connections at the same time, there must be an assignment between the data packet and the application. For this purpose, an identifier is defined between the data and the application, which is referred to as a port. It is a consecutive number between 0 and 65,535. TCP packets are provided with these port numbers, one for the sender and one for the recipient. With the ports it is possible that the data packets of several connections can be assigned to the correct data stream.

Overview: Ports

The port numbers that apply to TCP and UDP at the same time are administered and assigned by the IANA (Internet Assigned Numbers Authority) or ICANN (Internet Corporation for Assigned Names and Numbers).

Well Known Ports (0 - 1,023): These port numbers are permanently assigned to a service or an application protocol. Each service listens to such a port by default. They are also known as standard or default ports (destination port). In order to avoid errors and the associated troubleshooting, this assignment should not be changed.

Registered Ports (1,024 - 49,151): These port numbers are released for registration. In principle, anyone can reserve a port at IANA / ICANN for their application if they can justify it. It is quite possible that these ports are used more than once.

Dynamically Allocated Ports (49,152 - 65,535): The port numbers above, from 49.152 onwards, can be freely assigned or are assigned dynamically. Typically, clients use these ports for outgoing connections (source port).

When applications want to contact a server, TCP or UDP assigns the standard port for the receiver port and assigns a free port from 49.152 for the sender port. When the server has received the data and sends back a response, the port numbers are swapped. This ensures that the data is not passed to the wrong application.

Examples of standard ports (TCP)

Port numberprotocolapplication
21FTPFile transfer (FTP server)
23TelnetConsole (server)
25SMTPOutbox (SMTP server)
80HTTPWorld Wide Web (web server)
110POPInbox (POP server)
119NNTPUsenet (news server)

Examples of standard ports (UDP)

Port numberprotocolapplication
53DNSDomain name server
69TFTPTrivial File Transfer Protocol
137NetBIOS-nsNetBIOS name server
138NetBIOS DGMNetBIOS datagram service
161SNMPSimple Network Management Protocol

Port states

Ports can have multiple states. The status of a port defines whether communication via this port to an application behind it is possible or not. To put it simply, there are three states.

  • Open / open
  • Closed
  • Filtered / Filtered (Blocked / Blocked)

As a rule, it is sufficient to divide all ports into these two states (open, closed) or three states (open, closed, filtered). There is, however, a way of looking at ports that allows more states. The port scanner NMAP knows a total of six port states, which we will not consider further here.

Open / open

The "Open" or "Open" status is given when an application is listening on a specific port. "Open" means that you can establish a connection to an application via this port.


The "Closed" or "Closed" state is the standard state of a port. It is given when no application is listening on a specific port. The host will actively refuse a connection to this port. "Closed" means that there is no application to which a connection can be established via this port.
At least there is no connection option at the TCP / UDP level. The "closed" status can also apply if the contacted system is protected by a firewall and actively rejects connection attempts on a certain port. However, this also means that no connection can be established to the application behind it.

Filtered / Filtered (Blocked / Blocked)

The status "Filtered" or "Filtered" is given if the port contacted is protected by a firewall and does not respond to connection attempts. This means that the connection is neither confirmed (open) nor rejected (closed). So you have to assume that the connection attempt is actively blocked. However, this only applies if the host is generally online, i.e. allows a connection on at least one other port.
The "filtered" status expresses that the port cannot be reached because it is blocked by a firewall rule, for example. However, this state can also arise because the host contacted cannot be reached at all.

What is an open or closed port?

What does it mean when an "open port" is mentioned? A port is considered open if an application receives data packets on a port that are sent to this port without the application having requested this data packet.
A port is then "opened" when an application is started that "listens" on this port.
A port is considered "closed" if no application is "listening" to this port. You can only close a port by closing the relevant program. If data packets are then sent to this port, they are rejected.

How can you protect yourself from "open ports"?

"Open ports" are not a problem. They are part of connection-oriented communication in a network. "Open ports" are only a problem if the user is not aware of the open port, that is, of the start of an application that listens to a certain port. For example, when the application is running in the background. These can be regular system services, but also malware. An undesired open port would then be a security hole.
In order to prevent a port from being opened without authorization, a firewall or a port filter is often installed upstream, which prevents connections from outside to unauthorized ports from inside.

As a user, you can protect yourself from opening a port by an unauthorized application by installing a desktop firewall that warns of connection attempts from the inside to the outside and asks explicitly for permission. In this way you can prevent application programs from becoming a gateway.

Port knocking

Port knocking is the idea of ​​hiding services from potential attackers on the one hand (port status "closed") and on the other hand still being able to establish connections (port status "open").
For this purpose, a certain port is in the basic state "Closed". In order to still be able to establish a connection on this port, the remote host must generate a knocking sequence, which consists of a series of connection attempts on filtered ports. These connection attempts are rejected by a firewall and also recorded. A port knocking daemon monitors the firewall logging. If it detects a knock sequence, it changes the firewall rules to open one or more ports. After the desired ports are open, the remote host can establish a regular connection. The remote host can close the port again with another tapping sequence.

Change standard ports for security reasons?

Standard ports between 0 and 1,023 have the disadvantage that the assignment between port number and application is known. What is intention and also good. A web browser knows that a web server can be reached on port 80. This means that the user does not have to worry about anything at this level.
But there are also applications that have to authenticate the user. For example with SSH for remote control or remote maintenance of computers. An attacker, knowing that the SSH server is listening on port 22, uses himself to run his attacks on this port against the authentication. His goal would be to take control of the server via SSH.
If an attacker wants to get a server under his control, he will try to attack the SSH server. To prevent this, some system administrators switch to allowing services such as SSH to listen to other than the standard port. This makes it more difficult for attackers to find possible vulnerabilities. Because if an attacker suspects an SSH server is only on port 22, but the correct port is somewhere else, then this might prevent an attack.
However, this is only partially correct. It is correct that obfuscating ports can only prevent automated port scans and inexperienced script kiddies from finding vulnerable services. The experienced attacker who really wants to break into a system will not be prevented from doing so, but rather will at most delay his efforts a little.
To do this, the attacker has to scan all 65,536 ports of a system and check the applications actually listening behind them. This is of course time-consuming, but not unimaginable. With the right tools and a little time, you can quickly find out if an SSH server is listening on a different port than the standard port.

Changing standard ports has disadvantages for normal users. They have to know which service is running on which port. Since typical clients assume standard ports, the changed port must always be specified when addressing. On the one hand, this is inconvenient. On the other hand, things quickly get complicated when different systems have different port numbers for the same service. For this reason, the port assignment is then again defined centrally, which then has the disadvantage that it makes things easier for an attacker.

It is not so easy to give a general recommendation. It is clear that applications on standard ports are easier to attack. However, you have to think carefully about the port change. Where it makes sense is with systems that can be accessed via the Internet. In order to limit the load on the systems, it makes sense to change standard ports for SSH and other remote access. This prevents systematic port scans from encountering an open SSH port.

On the other hand, one must question the established security policy if standard ports have to be changed because there is a security risk. If this is the case, then the really correct way is not to allow connections from remote computers to this port at all. For example, the SSH server should only be accessible locally, but not from the public network.
If it cannot be avoided, then you have to be aware that no critical data is stored on such a server and no applications are allowed to run. Because such a system is fundamentally vulnerable. In such a case, additional security measures are necessary. Changing the default port is then only one option.

Other related topics:


Product recommendations

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!