Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation


TechZone

TCP/IP "Ports"

If you've already read the TechZone article discussing the nature of routable and non-routable network transport protocols you'll have a good sense for the fact that any single machine on the Internet is addressed and identified by a unique IP number like: 207.71.92.193. That particular IP is the Internet address of the grc.com machine running a web server that your web browser connected to in order to view the contents of this web site.

But the grc.com machine offers more than just web services. It also has an FTP server offering files, an SMTP server supporting our eMail post office, and a POP3 server allowing our employees to pickup their eMail. Yet all of these various servers are running within a single machine located at a single IP address. So how do we know which of these servers should handle a connection request from another computer on the Internet?

The answer, of course, is Ports.

A PORT is nothing more than the final portion of the
destination address for any piece of Internet traffic.

Let's return for a moment to the postal routing analogy we developed for discussing routing protocols. You'll recall that the address we used to get the postal letter to the proper house looked like this:

State . City . Street . HouseNumber

But notice that this address doesn't tell us WHO should receive the letter within the house. If more than one person lives at that address, we need to know who should open any letter that arrives at the house. We need to address the letter to a specific person in order to finish our postal mail routing task:
State . City . Street . HouseNumber : Person

Or in Internet terminology we'd say that we need to send it to a particular PORT at that IP address!

Standard port numbering conventions have been widely adopted to allow specific client programs, like a web browser or eMail client, to connect to their proper counterpart servers on a remote machine. For example, web browsers typically connect to a web server using port 80 and secure encrypted web connections generally occur on port 443. Email clients pickup incoming mail from a server at port 110 and deliver outbound mail to a server at port 25. FTP clients usually connect to FTP servers on port 21.

Here's a schematic diagram showing two users, Jack and Jill, each
connected to different servers running within the same machine:

As you can see in the diagram above, it's as if all of those various servers are living in the same house (on a single machine at a single IP address) but each server is listening for inbound connections and client requests on its own unique port number.

TCP ports are numbered 1 through 65535. Servers accepting inbound connections have traditionally "listened for connections" on the lower-numbered ports 1 through 1023 which are therefore known as the "system" ports. Client computers originating outbound connections generally grab any free port above 1023 as their "source port" and specify the destination machine's IP address and the destination port for the service they wish to solicit from the remote machine.

Since server software opens and listens for connections on well known port numbers, every Internet machine with software servers has an "open port profile" describing the services that are being made available by that machine. This is relevant to issues of security because it's possible to scan across all of a machine's potential ports to find those that are "open" and "listening" for connections. As the diagram above shows, when a scanner sweeps past such a machine and discovers open ports 21, 25, 80, and 110, it concludes that this machine contains four servers for file transfer (FTP), inbound eMail (SMTP), web (HTTP) and outbound eMail (POP3).



Each open port on a machine
creates a potential point of
attack for an internet intruder.


If you're curious about pre-defined port numbers, this URL has a relatively current listing: http://www.isi.edu/in-notes/iana/assignments/port-numbers.

Trojan horse servers, like "Back Orifice" open their own ports and wait to be found by intruder scanners. To give you a sobering sense for the number of such programs operating, here's list of the port numbers opened by well-known Trojan horse programs: http://www.sans.org/resources/idfaq/oddports.php.

With this background on TCP ports you'll have no trouble understanding the danger presented by evil port monitors and the powerful solutions created by personal firewalls . . .

Please press your browser's BACK button to return ...


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Feb 22, 2008 at 16:09 (3,078.47 days ago)Viewed 5 times per day