Security: How Network Ports Work

By Daniel Miessler on February 15th, 2007: Tagged as Networking | Security

Many who are new to networking and security wonder what it means to have “ports” open on your computer. Some get rather anxious when an online port scan reveals that something’s open on their system. What follows is a silly, but hopefully memorable way for beginners to remember how nework ports work.

Houses, Windows, and Midgets

Open_Window

Imagine a house with many, many windows. And imagine that all these windows are spring-loaded so they slam shut when they aren’t being actively held open. Also within the house are a number of midgets. Each one is able to talk to people outside the house temporarily, but only through an open window.

Well, ports on a computer — just like spring-loaded windows — are also closed by default. They don’t just stay open on their own. The second someone stops holding one open, it slams shut. So when you do find one that is open, your mission is to find out what little midget program is holding it that way.

Don’t worry about the port. It can’t stay open by itself. Instead, focus on the midget.

For that task you can use a program from Foundstone called Fport. It’ll give you the name of the midget program so you can find him and tell him to get the hell out of your window. Once he’s gone, i.e. you’ve shut down the program, the port will be closed again.:

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • Yur
    I've often wondered about ports used to send data.

    I know that a webserver listening on the default HTTP port of 80 will "lock" that port on a machine. Two processes can't listen on the same port (at least with any OS's I'm familiar with).

    But when I'm on my desktop, does my browser use a port to send/receive data from a webserver?

    If I'm running a local webserver listening on port 80, and then on the same machine I use my browser ... how does the response traffic not go to my webserver (thus confusing everyone involved)?

    /boggle
  • Yur

    The 'connection' between your web browser and the web server is between the port on your machine and the port on theirs. Typically connections *from* your machine will be made above port 1024, if not higher, *to* a server on a port below 1024.

    So, your web server listens on port 80, and your web browser 'listens' on a higher port, for the specific task of talking to the remote web server for one session.

    Hope this makes a bit of sense.. :)
  • Jason Powell
    A most excellent explanation for me, someone who never knew anything about ports, etc. Unfortunately, now, if I find myself in a situation called upon to explain this phenomenon, the only analogy I'll have handy will involve midgets on spring-loaded windows. I am heartened, though, that this is apparently the same situation you, yourself, are in.
  • Gotta love metaphors.

    -- Arik
  • Tim
    Haw haw. I just had a mental image of Daniel yelling at his computer:

    "Hey all you midgets in there! Quit yackin' and get back to work!"
  • > If I’m running a local webserver listening on port 80, and then on the same machine I use my browser … how does the response traffic not go to my webserver (thus confusing everyone involved)?

    In general, "client" ports (also called ephemeral ports) are very high -- often in the many thousands. The low ports (especially those below 1024) are reserved for common services such as web, ftp, telnet, etc.

    So think of it this way -- each side of a connection has two things: 1) an IP address, and 2) a port. Usually the server side will be a low port and the client a high one, but it depends on the application so that's not always the case.

    Hope this helps...
  • Michael S Black
    Are the midgets unionized?

    **We represent the Lollipop Guild, the Lollipop Guild, the Lollipop Guild**
  • Yur
    Ahhh, I see now.

    So this (from lsof) makes more sense now:

    firefox-b 250 yur 43u IPv4 0x4177018 0t0 TCP 10.0.0.102:53475->ar-in-f104.google.com:http (ESTABLISHED)

    Firefox has an open connection with Google using my local port 53475, right? I guess outbound connections pick a random port and make sure it isn't in use or something? I assume there is a nice POSIX system call for this sort of thing? get_an_unused_user_port() sort of thing?

    Thanks for the info.
blog comments powered by Disqus

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives