Security: How Network Ports Work

By Daniel Miessler on February 15th, 2007: Tagged as Networking | Security

Many who are new to networking and security wonder what it means to have “ports” open on your computer. Some get rather anxious when an online port scan reveals that something’s open on their system. What follows is a silly, but hopefully memorable way for beginners to remember how nework ports work.

Houses, Windows, and Midgets

Open_Window

Imagine a house with many, many windows. And imagine that all these windows are spring-loaded so they slam shut when they aren’t being actively held open. Also within the house are a number of midgets. Each one is able to talk to people outside the house temporarily, but only through an open window.

Well, ports on a computer — just like spring-loaded windows — are also closed by default. They don’t just stay open on their own. The second someone stops holding one open, it slams shut. So when you do find one that is open, your mission is to find out what little midget program is holding it that way.

Don’t worry about the port. It can’t stay open by itself. Instead, focus on the midget.

For that task you can use a program from Foundstone called Fport. It’ll give you the name of the ~~midget~~ program so you can find him and tell him to get the hell out of your window. Once he’s gone, i.e. you’ve shut down the program, the port will be closed again.:

Viewing 8 Comments

Yur 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I've often wondered about ports used to send data.

I know that a webserver listening on the default HTTP port of 80 will "lock" that port on a machine. Two processes can't listen on the same port (at least with any OS's I'm familiar with).

But when I'm on my desktop, does my browser use a port to send/receive data from a webserver?

If I'm running a local webserver listening on port 80, and then on the same machine I use my browser ... how does the response traffic not go to my webserver (thus confusing everyone involved)?

/boggle

reply edit reblog flag

Matt 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Yur

The 'connection' between your web browser and the web server is between the port on your machine and the port on theirs. Typically connections *from* your machine will be made above port 1024, if not higher, *to* a server on a port below 1024.

So, your web server listens on port 80, and your web browser 'listens' on a higher port, for the specific task of talking to the remote web server for one session.

Hope this makes a bit of sense.. :)

reply edit reblog flag

http://adigitalaesthetic.com/wp/

Jason Powell 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

A most excellent explanation for me, someone who never knew anything about ports, etc. Unfortunately, now, if I find myself in a situation called upon to explain this phenomenon, the only analogy I'll have handy will involve midgets on spring-loaded windows. I am heartened, though, that this is apparently the same situation you, yourself, are in.

reply edit reblog flag

Arik 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Gotta love metaphors.

-- Arik

reply edit reblog flag

http://arik.baratz.org

Tim 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Haw haw. I just had a mental image of Daniel yelling at his computer:

"Hey all you midgets in there! Quit yackin' and get back to work!"

reply edit reblog flag

http://slashback.org

Daniel Miessler 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

> If I’m running a local webserver listening on port 80, and then on the same machine I use my browser … how does the response traffic not go to my webserver (thus confusing everyone involved)?

In general, "client" ports (also called ephemeral ports) are very high -- often in the many thousands. The low ports (especially those below 1024) are reserved for common services such as web, ftp, telnet, etc.

So think of it this way -- each side of a connection has two things: 1) an IP address, and 2) a port. Usually the server side will be a low port and the client a high one, but it depends on the application so that's not always the case.

Hope this helps...

reply edit reblog flag

1 /people/danielrm26/ /people/danielrm26/following/ http://dmiessler.com/ danielrm26

Michael S Black 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Are the midgets unionized?

**We represent the Lollipop Guild, the Lollipop Guild, the Lollipop Guild**

reply edit reblog flag

Yur 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Ahhh, I see now.

So this (from lsof) makes more sense now:

firefox-b 250 yur 43u IPv4 0x4177018 0t0 TCP 10.0.0.102:53475->ar-in-f104.google.com:http (ESTABLISHED)

Firefox has an open connection with Google using my local port 53475, right? I guess outbound connections pick a random port and make sure it isn't in use or something? I assume there is a nice POSIX system call for this sort of thing? get_an_unused_user_port() sort of thing?

Thanks for the info.

reply edit reblog flag