Security: How Network Ports Work

By Daniel Miessler on February 15th, 2007: Tagged as Networking | Security

Many who are new to networking and security wonder what it means to have “ports” open on your computer. Some get rather anxious when an online port scan reveals that something’s open on their system. What follows is a silly, but hopefully memorable way for beginners to remember how nework ports work.

Houses, Windows, and Midgets

Open_Window

Imagine a house with many, many windows. And imagine that all these windows are spring-loaded so they slam shut when they aren’t being actively held open. Also within the house are a number of midgets. Each one is able to talk to people outside the house temporarily, but only through an open window.

Well, ports on a computer — just like spring-loaded windows — are also closed by default. They don’t just stay open on their own. The second someone stops holding one open, it slams shut. So when you do find one that is open, your mission is to find out what little midget program is holding it that way.

Don’t worry about the port. It can’t stay open by itself. Instead, focus on the midget.

For that task you can use a program from Foundstone called Fport. It’ll give you the name of the midget program so you can find him and tell him to get the hell out of your window. Once he’s gone, i.e. you’ve shut down the program, the port will be closed again.:

  • Yur

    I’ve often wondered about ports used to send data.

    I know that a webserver listening on the default HTTP port of 80 will “lock” that port on a machine. Two processes can’t listen on the same port (at least with any OS’s I’m familiar with).

    But when I’m on my desktop, does my browser use a port to send/receive data from a webserver?

    If I’m running a local webserver listening on port 80, and then on the same machine I use my browser … how does the response traffic not go to my webserver (thus confusing everyone involved)?

    /boggle

  • Yur

    I’ve often wondered about ports used to send data.

    I know that a webserver listening on the default HTTP port of 80 will “lock” that port on a machine. Two processes can’t listen on the same port (at least with any OS’s I’m familiar with).

    But when I’m on my desktop, does my browser use a port to send/receive data from a webserver?

    If I’m running a local webserver listening on port 80, and then on the same machine I use my browser … how does the response traffic not go to my webserver (thus confusing everyone involved)?

    /boggle

  • http://adigitalaesthetic.com/wp/ Matt

    Yur

    The ‘connection’ between your web browser and the web server is between the port on your machine and the port on theirs. Typically connections from your machine will be made above port 1024, if not higher, to a server on a port below 1024.

    So, your web server listens on port 80, and your web browser ‘listens’ on a higher port, for the specific task of talking to the remote web server for one session.

    Hope this makes a bit of sense.. :)

  • http://adigitalaesthetic.com/wp/ Matt

    Yur

    The ‘connection’ between your web browser and the web server is between the port on your machine and the port on theirs. Typically connections from your machine will be made above port 1024, if not higher, to a server on a port below 1024.

    So, your web server listens on port 80, and your web browser ‘listens’ on a higher port, for the specific task of talking to the remote web server for one session.

    Hope this makes a bit of sense.. :)

  • Jason Powell

    A most excellent explanation for me, someone who never knew anything about ports, etc. Unfortunately, now, if I find myself in a situation called upon to explain this phenomenon, the only analogy I’ll have handy will involve midgets on spring-loaded windows. I am heartened, though, that this is apparently the same situation you, yourself, are in.

  • Jason Powell

    A most excellent explanation for me, someone who never knew anything about ports, etc. Unfortunately, now, if I find myself in a situation called upon to explain this phenomenon, the only analogy I’ll have handy will involve midgets on spring-loaded windows. I am heartened, though, that this is apparently the same situation you, yourself, are in.

  • http://arik.baratz.org/ Arik

    Gotta love metaphors.

    – Arik

  • http://arik.baratz.org Arik

    Gotta love metaphors.

    – Arik

  • http://slashback.org/ Tim

    Haw haw. I just had a mental image of Daniel yelling at his computer:

    “Hey all you midgets in there! Quit yackin’ and get back to work!”

  • http://slashback.org Tim

    Haw haw. I just had a mental image of Daniel yelling at his computer:

    “Hey all you midgets in there! Quit yackin’ and get back to work!”

  • http://dmiessler.com/ Daniel Miessler

    If I’m running a local webserver listening on port 80, and then on the same machine I use my browser … how does the response traffic not go to my webserver (thus confusing everyone involved)?

    In general, “client” ports (also called ephemeral ports) are very high — often in the many thousands. The low ports (especially those below 1024) are reserved for common services such as web, ftp, telnet, etc.

    So think of it this way — each side of a connection has two things: 1) an IP address, and 2) a port. Usually the server side will be a low port and the client a high one, but it depends on the application so that’s not always the case.

    Hope this helps…

  • http://dmiessler.com Daniel Miessler

    If I’m running a local webserver listening on port 80, and then on the same machine I use my browser … how does the response traffic not go to my webserver (thus confusing everyone involved)?

    In general, “client” ports (also called ephemeral ports) are very high — often in the many thousands. The low ports (especially those below 1024) are reserved for common services such as web, ftp, telnet, etc.

    So think of it this way — each side of a connection has two things: 1) an IP address, and 2) a port. Usually the server side will be a low port and the client a high one, but it depends on the application so that’s not always the case.

    Hope this helps…

  • Michael S Black

    Are the midgets unionized?

    We represent the Lollipop Guild, the Lollipop Guild, the Lollipop Guild

  • Michael S Black

    Are the midgets unionized?

    We represent the Lollipop Guild, the Lollipop Guild, the Lollipop Guild

  • Yur

    Ahhh, I see now.

    So this (from lsof) makes more sense now:

    firefox-b 250 yur 43u IPv4 0×4177018 0t0 TCP 10.0.0.102:53475->ar-in-f104.google.com:http (ESTABLISHED)

    Firefox has an open connection with Google using my local port 53475, right? I guess outbound connections pick a random port and make sure it isn’t in use or something? I assume there is a nice POSIX system call for this sort of thing? get_an_unused_user_port() sort of thing?

    Thanks for the info.

  • Yur

    Ahhh, I see now.

    So this (from lsof) makes more sense now:

    firefox-b 250 yur 43u IPv4 0×4177018 0t0 TCP 10.0.0.102:53475->ar-in-f104.google.com:http (ESTABLISHED)

    Firefox has an open connection with Google using my local port 53475, right? I guess outbound connections pick a random port and make sure it isn’t in use or something? I assume there is a nice POSIX system call for this sort of thing? get_an_unused_user_port() sort of thing?

    Thanks for the info.


Top

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

Arguments

Projects

Collections

Twitter

What I'm Reading

Favorite Books and Essays

Top Blog Categories

Inputs