How Ports and Protocols Allow Access to Your Computer

How Ports and Protocols Allow Access to Your Computer
For two computers to connect to each other through TCP/IP over the Internet, both have to agree on which port number (from 1 to 65535) and protocol they will use. (A port, in this context, is not a physical connector, such as a serial port. Rather, it's a somewhat arbitrary number that two computers use to identify a particular network communications channel.) To establish a connection, the computer at the originating end specifies the IP address of the destination computer and the agreed-upon port number. The destination computer listens on the agreed-upon port number until a computer—any computer—sends it a message. The receiving computer can check the address of the originating computer and the information sent in the message to decide whether to accept the connection.

On the Internet, computers primarily use either of two communications protocols between ports: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). In TCP communication, the two computers set up a long-lasting connection to ensure that messages are received reliably. For example, if a computer sends a data packet on a TCP connection and the packet is lost or corrupted for any reason, the network software on both computers will cooperate to have the data retransmitted.

The second protocol, UDP, lets a computer send a simple one-packet message to another computer. If a UDP message is lost on its way to the destination, the sending computer has no way of knowing that it was lost. However, this lack of knowledge isn't always a disadvantage. UDP is a low-overhead protocol, so little software is required to implement it. Applications can use UDP messages in situations in which data delivery isn't crucial and keeping communication overhead low is important. For example, applications that stream media such as video over the Internet typically use UDP messages. In such applications, a few lost bytes are less likely to be noticed than the delays that would be incurred by using an error-correcting protocol to retrieve lost packets.

NOTE
--------------------------------------------------------------------------------

More than a hundred Internet protocol types are defined, but only TCP and UDP are commonly used by applications. TCP/IP network software stacks use a third protocol, called Internet Control Message Protocol (ICMP), to communicate between themselves. ICMP messages do not use port numbers because the TCP/IP stack always processes them. One example of an ICMP message is the ECHO packet sent out by the Ping and Tracert command-line utilities.
How Ports Are Assigned
Ports and protocols are closely tied together because in most cases only one application listens on a port. To connect to an application, you must know what port it is listening on and what protocols it expects to use. Usually at least two protocols are involved. The low-level protocols (TCP and UDP) take care only of transmitting messages between the two computers; they don't concern themselves with the actual content or meaning of the messages. Another application-layer protocol defines what the messages mean. For example, a Web browser and a server communicate using the HTTP application protocol on top of TCP. Hypertext Transfer Protocol (HTTP) defines what it means for a Web browser to send "GET /default.htm" to a server; the TCP protocol simply makes sure that the message goes through.

The Internet community has agreed to certain standard application port number assignments so that when you want to contact the public Web server at http://www.microsoft.com, for example, you always use port 80, the designated port for HTTP. A group called the Internet Assigned Numbers Authority (IANA) is officially responsible for assigning port numbers in the range 1 through 1023 (well-known ports) and also coordinates the registration of port numbers in the range 1024 through 49151 (registered ports) as a service to Internet developers. Port numbers from 49152 through 65535 are not managed by the IANA at all and are generally used by each application in a unique way. The IANA has registered more than 6,000 ports; a complete list is available at http://www.iana.org/assignments/port-numbers.

NOTE
--------------------------------------------------------------------------------

The IANA list of ports indicates whether a particular application or service supports UDP, TCP, or both protocols. Two completely different applications or services on a computer can use the same port number but different protocols; the TCP/IP protocol stack always knows where to send the message based on the protocol type. Fortunately, the IANA doesn't allow this situation with well-known ports because it could cause human confusion.
Thanks to the standardization of port assignments, client and server applications that use common protocols such as HTTP, Post Office Protocol (POP3), and File Transfer Protocol (FTP) can use the standard port numbers and, virtually all of the time, their connection will be successful. Default port numbers are changed so seldom that most applications put that information in rarely visited setup dialog boxes.

Table 17-1 lists some common port numbers you're likely to encounter on a Microsoft Windows-based network. In some cases, the name of the service in this table won't match what you see on the IANA list. The table reflects real-life current names and usage, even if the use was never reflected in the official IANA document. The IANA lists port 3389, for example, as "MS WBT Server," indicating its early use by Windows-Based Terminal Server; but Microsoft's most recent name for this service is Remote Desktop Protocol. Contrary to the IANA assignments, port 22 was used by PC Anywhere until version 7.51 even though that port was originally intended only for the Unix-based Secure Shell Remote Login service. Although PC Anywhere 7.52 now uses its own assigned ports by default, it can still be configured to use the old port numbers as well.

Table 17-1. Commonly Used Ports and Protocols
Port Protocol Description
21
FTP
File Transfer Protocol

22, 65301
PC Anywhere
PC Anywhere versions up to 7.51

23
Telnet
Character-oriented terminal connection

25
SMTP
Simple Mail Transfer Protocol

80
HTTP
Hypertext Transfer Protocol

110
POP3
Post Office Protocol version 3

119
NNTP
Network News Transfer Protocol

123
NTP
Network Time Protocol

135
epmap
Endpoint Mapper

137, 138, 139
NETBIOS
NetBIOS over TCP/IP

143
IMAP
Internet Message Access Protocol

161
SNMP
Simple Network Management Protocol

443
HTTPS
Secure HTTP

445
SMB
Server Message Block over TCP/IP

1723
PPTP
Point-to-Point Tunneling Protocol

1900, 5000
UPnP
Universal Plug and Play

3389
RDP
Remote Desktop Protocol (Terminal Services)

5190
AOL
America Online, AOL Instant Messenger

5631,5632
PCAnywhere
PC Anywhere version 7.52 and later

5900, 59xx
VNC
Virtual Network Computing


Unofficial Port Usage
Although some Internet conventions advise the use of certain ports for specific protocols, no rule absolutely decrees that you must use these ports. For example, you can set up your Web server to use port 21, even though the IANA has assigned that port to FTP. To connect to the server, remote computers would need to specify the nonstandard port number. Many applications that aren't full-blown Web servers need a way for users to manage them using a Web browser; such applications can set up a simple HTTP-based Web interface on a port other than 80. Commonly used port numbers for Web-based services (other than the standard port 80) include 8080, 8081, 8181, 8282, and 8383. Web browsers such as Microsoft Internet Explorer make it easy to specify a nonstandard port number: Simply append a colon and a port number to the address. For example, to reach a Microsoft Web server on port 8080, the URL would be http://www.microsoft.com:8080/. Other applications, such as an FTP client, usually provide a way to specify the port number as part of the connection setup.

Trojan horse programs are another type of software that can make use of obscure and nonstandard port numbers. The Trojan horse itself often enters a system through an email message or a network share. Once it's on the system and activated, the program usually starts listening on a port for instructions. Hundreds of Trojan horse programs are floating around the Internet, and they use almost every port number you can imagine. The early versions of NetBus and Back Orifice used ports 12345 and 31337, respectively, but dozens of other ports are now in use. A Trojan horse might even intentionally use a standard port such as 80 or 21 in the hope that those ports won't be blocked at a firewall. In that approach, the risk for the attacker is that the Trojan horse might interfere with legitimate software and reveal itself.

For more information about how Trojan horse programs work and how to stop them, see Trojan Horse Programs.

How Connections to a Port Are Made
When an application on one computer (the "originator") wants to communicate with an application on another computer (the "destination"), it uses the operating system's application programming interface (API) to create a network connection. The originator creates a message that specifies the IP address for the destination and the port number to be used for communication. Generally, the originator knows the number of a specific service that it wants to reach, so it specifies the service's well-known port number, such as 80 for HTTP. As part of the process of creating the connection, the API assigns the originator a dynamic port number (that is, a number higher than 1023 and lower than 16384) that it can use for sending the message.

In the case of TCP messages, the originator opens a connection to the destination in order to send the message. It can then wait for a response from the destination, send additional messages, monitor the connection for errors, and at some point close the connection. UDP messages are much more primitive: The originator simply uses the API to send the message in the direction of the destination computer and hopes that it gets there. Meanwhile, the destination must be listening on the port that the originator specified in order to receive the message. If the destination computer is not listening on that port, its TCP/IP network stack will receive the message, determine that no application wants to receive it, and throw it away.

NOTE
--------------------------------------------------------------------------------

This is a key point for TCP/IP port security. If an application is not listening on a particular port, the TCP/IP protocol stack on that computer simply drops any message that arrives for that port. Minimizing the number of ports that are being listened to will thus reduce the chances of intrusions.
If the application on the destination computer is listening on the port, it can receive the originator's message. In a TCP connection, it can exchange multiple messages with the originator. For UDP, the connection is not persistent; the destination computer receives only the single message that was sent. Since the originator provides its source address and port number in the message it sends, the application on the destination computer already knows how to reach the originator when it replies. Thus, the originator's port number needn't be one of the well-known ports.