What Do All Those Network Port Numbers Really Mean? A Complete Guide

Network engineers often list familiarity with protocols such as TCP/IP and HTTP, but a deeper understanding of ports is essential.

(1) Hardware ports refer to physical interfaces on devices like switches and routers (e.g., SFP ports).

(2) TCP/IP ports are logical endpoints used by services such as FTP (port 21) and HTTP (port 80).

Because the Internet requires more than just hardware interfaces, software ports were introduced to allow computers to communicate across networks.

Ports are divided into three categories based on their number range:

Well‑Known Ports (0‑1023): tightly bound to specific services.

Registered Ports (1024‑49151): loosely associated with various services.

Dynamic/Private Ports (49152‑65535): generally not assigned to well‑known services and often abused by malware.

Ports can also be classified by protocol type, such as TCP ports and UDP ports.

Below are examples of many ports, their services, and typical security notes:

Port 0 – Service: Reserved – Description: Often used for OS analysis; 0 is an invalid port, so connections to it behave unusually.

Port 1 – Service: tcpmux – Description: Used by SGI Irix machines; default accounts can be exploited by attackers.

Port 7 – Service: Echo – Description: Used in Fraggle amplification attacks.

Port 19 – Service: Character Generator – Description: Sends random characters; can be abused for DoS attacks.

Port 21 – Service: FTP – Description: FTP servers often expose anonymous access; many trojans target this port.

Port 22 – Service: SSH – Description: Vulnerable configurations can expose SSH weaknesses.

Port 23 – Service: Telnet – Description: Scanned to discover OS and passwords; trojans may open this port.

Port 25 – Service: SMTP – Description: Used for sending email; spammers and trojans exploit it.

Port 53 – Service: DNS – Description: DNS servers are frequently filtered or logged due to attacks.

Port 67/68 – Service: DHCP – Description: Broadcast traffic for IP address assignment; can be hijacked for MITM attacks.

Port 80 – Service: HTTP – Description: Standard web traffic; some trojans open this port.

Port 443 – Service: HTTPS – Description: Encrypted web traffic.

Port 110 – Service: POP3 – Description: Email retrieval; many vulnerabilities allow buffer overflows.

Port 143 – Service: IMAP – Description: Similar security issues as POP3.

Port 161/162 – Service: SNMP – Description: Network management; default community strings are often guessed.

Port 445 – Service: CIFS/SMB – Description: File sharing; common target for ransomware.

Port 3306 – Service: MySQL – Description: Database service; often scanned for weak credentials.

Port 3389 – Service: RDP – Description: Remote desktop; frequently exploited by ransomware.

Port 5000 – Service: Various – Description: Used by many trojans (e.g., Blazer5, Sockets de Troie).

Port 8080 – Service: HTTP Proxy – Description: Common proxy port; attackers use it for anonymizing traffic.

Port 31337 – Service: Back Orifice – Description: Classic remote administration trojan.

Numerous other ports are listed in the original source, each with associated services and notes about malware that commonly opens them.

Source: Network Engineer Club public account.