Port Numbers, In Order: Why the List Has Gaps, and the Best Stories Behind the Numbers
The Well-Known Range (0β1023): The Ports That Came First
Port 0 - Reserved, and Not Quite Unused
Port 0 is technically valid in the header format but isn't meant to be a real destination. In practice it means "let the OS pick" - if you bind() a socket to port 0, the kernel assigns you a free ephemeral port instead. It's also the one port number that shows up in unusual scanning and OS-fingerprinting traffic on the open internet, because a packet addressed to port 0 forces certain stacks to respond in ways that leak information about the OS - researchers have published entire papers on nothing but traffic seen on port 0.
Ports 7, 9, 13, 19 - The "Network Utility" Protocols Nobody Runs Anymore
These four are some of the oldest port assignments on the internet, all specified in early-1980s RFCs, and all built to be trivially simple:
- Echo (7) - sends back whatever you sent it.
- Discard (9) - silently eats whatever you send it.
- Daytime (13) - replies with the current date and time as plain text.
- Chargen (19), Character Generator - replies with an endless stream of test characters.
They were genuinely useful in the 1980s for testing whether a link was alive. Today they're a textbook example of why some ports are still assigned but essentially dead: nobody disabled or reassigned them, but running the UDP version of chargen or echo on the open internet is now a textbook DDoS amplification vector - you spoof the victim's address as the source, send a tiny request, and the service floods the victim with a reply many times larger than the request. Most operating systems disable these services by default now, but the port numbers themselves were never taken back.
Ports 20/21 - FTP
Port 21 is the control channel (commands, logins); port 20 is the classic active-mode data channel. FTP predates HTTP by over a decade and its two-port, active/passive-mode split is the reason firewall configuration for FTP is still a recurring headache today.
Port 22 - SSH, and the Most Well-Documented "Why This Number" Story in the List
In 1995, Tatu YlΓΆnen, then a researcher at Helsinki University of Technology, built the first version of SSH after a password-sniffing attack hit his university's network. He designed it as a drop-in replacement for telnet and the Berkeley r-commands (rlogin, rsh), and when it came time to register a port with IANA, he simply asked for 22 - because it sat conveniently between FTP's 21 and Telnet's 23. According to YlΓΆnen's own account, IANA's Joyce K. Reynolds (who co-authored several of the RFCs defining Telnet, FTP, and POP) emailed back the very next day confirming the assignment. There's no deeper logic to 22 beyond "it was free and it fit between the two protocols SSH was meant to obsolete."
Port 23 - Telnet
The protocol SSH was built to replace: plaintext remote login, still occasionally found wide open on ancient network gear and IoT devices, which is exactly why it remains a favorite first-scan target for botnets like Mirai.
Port 25 - SMTP
Outbound mail relay between servers. Note this is server-to-server relay - the reason your email client doesn't use 25 directly is covered further down (587).
Port 37 - Time Protocol
A blunter cousin of NTP (port 123, below): it returns the number of seconds since January 1, 1900, in a fixed 32-bit field. That fixed-width field overflows in 2036 - a smaller-scale cousin of the Year 2038 problem baked into 32-bit Unix timestamps.
Port 43 - WHOIS
Plain-text domain and IP registration lookups. Notably one of the few well-known protocols with essentially no encryption story even in 2026 - WHOIS over TLS exists but isn't the default anywhere.
Port 53 - DNS
Arguably the single most load-bearing port on the internet: name resolution. It's also unusual in using both UDP (for the common case) and TCP (for zone transfers and responses too large for a single UDP packet).
Ports 67/68 - DHCP
Server and client, respectively. Split into two ports because DHCP has to work before the client has an IP address - broadcast-based negotiation doesn't fit a normal client-picks-an-ephemeral-port model.
Port 69 - TFTP
Trivial File Transfer Protocol - no authentication, no directory listing, barely a protocol at all by modern standards. Still alive today almost exclusively for network booting (PXE) and pushing firmware to routers and switches.
Port 70 - Gopher
A pre-web hypertext protocol, briefly a real competitor to HTTP in the early 1990s. This is the clearest "protocol lost the race" entry in the well-known range: Gopher didn't get deprecated by IANA, it just lost its users to the web, and port 70 has sat there, technically assigned and functionally empty, for three decades. (There's a small nostalgia revival among hobbyists running Gopher servers today, purely for fun.)
Port 79 - Finger
Looked up whether a user was logged into a remote Unix system and what they were doing. Killed off almost everywhere by the 1990s once people realized broadcasting "who's logged in right now, from where" to anyone who asked was a security and privacy problem.
Port 80 - HTTP
The web. No real mystery here - it was simply the next convenient low number available when Tim Berners-Lee's team registered HTTP, and its ubiquity today is entirely a function of the web's success, not anything special about the number 80 itself.
Port 88 - Kerberos
Network authentication protocol, still the backbone of Active Directory logins today. 88 has no deeper meaning that's documented anywhere - just an assigned number from the same era as the rest of this range.
Port 110 - POP3, Port 143 - IMAP
The two competing designs for "how does a mail client fetch messages from a server." POP3 assumes the client downloads and typically deletes from the server; IMAP assumes the server is the source of truth and the client is just a window into it - which is why IMAP won out as multi-device email became the norm.
Port 119 - NNTP
Usenet news. If you've never used Usenet, this is the one well-known-range protocol most likely to be genuinely unfamiliar rather than just "the thing that lost to something newer" - it's still alive in niche communities and binary-file circles, just entirely outside mainstream awareness.
Port 123 - NTP
Network Time Protocol. Notorious in security circles for the same amplification problem as chargen: NTP's monlist command (which lists the last 600 machines that queried a server) could be abused to reflect a small request into a massive reply aimed at a spoofed victim - one of the largest DDoS techniques of the mid-2010s until server operators disabled monlist broadly.
Port 161/162 - SNMP
Network device monitoring and management (the second port is specifically for asynchronous "trap" notifications from devices, rather than polled queries).
Port 179 - BGP
The protocol that quite literally holds the internet's routing table together between autonomous systems. Unlike almost everything else on this list, BGP runs over TCP rather than UDP, because route announcements need reliable, ordered delivery.
Port 194 - IRC (the "Official" One Nobody Uses)
This is one of the more interesting quiet mismatches in the whole list: IRC's IANA-registered port is 194, but almost no IRC network has ever actually used it in practice - the overwhelming real-world convention has always been 6667 (and its encrypted sibling 6697), both in the registered, not well-known, range. 194 is a well-known-range port that's correctly assigned on paper and essentially never seen live on the wire.
Port 389 - LDAP
Directory services (user/group lookups for corporate networks). Its encrypted counterpart on 636 lives in the registered range rather than sharing this section - a small inconsistency in how "the same protocol, encrypted" got assigned across the two tiers over time.
Port 443 - HTTPS
HTTP layered over TLS. If port 80 owes its ubiquity purely to the web's success, 443 owes its modern dominance to a deliberate industry-wide push (Let's Encrypt, browser "not secure" warnings, HTTP/2 and HTTP/3 requiring TLS in practice) that turned "encrypted by default" from a minority practice into the default expectation within about a decade.
Port 445 - SMB
Windows file and printer sharing, direct over TCP (bypassing the older, clunkier NetBIOS-over-TCP setup on ports 137β139). This is also one of the most consequential ports in modern security history: it's the port EternalBlue exploited, and the resulting worm - WannaCry, in May 2017 - spread through exposed SMB shares to hit hundreds of thousands of machines across roughly 150 countries in a single weekend.
Ports 465 / 587 - The SMTP Submission Split
This pair explains something a lot of people configure without ever asking why: 25 is for server-to-server relay, but mail clients submitting a new message are supposed to use 587 (authenticated "submission," standardized to stop 25 from being wide open to anyone), or 465 for submission wrapped directly in TLS. Many residential and mobile ISPs block outbound 25 entirely today specifically to choke off spam-sending malware - which is a large part of why 587/465 exist as a separate, authenticated front door.
Port 514 - Syslog
Centralized log shipping, still the lingua franca that most log aggregation pipelines (including a fair number of AWS and other cloud logging setups) can ingest even when everything else about the stack is modern.
Ports 993 / 995 - IMAPS / POP3S
The encrypted counterparts to 143 and 110, again assigned decades after the plaintext originals as TLS became standard practice for mail retrieval.
So Why Does the Well-Known Range Look Like It Has Gaps?
If you scan through 0β1023 expecting a dense, fully-explained list, it looks patchy: there are stretches with nothing well-known at all, and the numbers that are assigned skew heavily toward protocols from the 1980s and early 1990s. Three separate reasons produce that pattern, and they're worth telling apart because they're not the same thing:
- IANA doesn't reclaim and reissue numbers. Once a number is assigned to a protocol, it isn't handed to a new one just because the old protocol died - which is why Gopher (70) and Finger (79) still technically own their numbers decades after losing all relevance. This avoids the much worse problem of old documentation, firewalls, and scripts silently referring to the wrong service.
- Plenty of "assigned" ports were never widely deployed at all. Not every registered well-known port became a household name - some were requested, reserved, and then the protocol behind them simply never took off the way HTTP or SSH did.
- Deliberate deprecation on security grounds.
chargen,echo,finger, and unencrypted telnet weren't removed from the registry - they were removed from default configurations and firewalls, one operating system release at a time, once their risk (amplification abuse, credential sniffing, information leakage) outweighed their 1980s-era usefulness.
None of this is a gap in the numbering - it's a gap in active usage, which is a completely different thing, and it's the single most common misreading of a port list.
The Registered Range (1024β49151): Where the Modern Software World Lives
This tier is enormous - over 48,000 numbers - and IANA registration here is far looser than in the well-known range: mostly first-come-first-served, project-by-project, which is exactly why the registered range is where you find the best "why this specific number" stories. Walking it roughly in order of how often you'd actually encounter each one in practice:
Port 1080 - SOCKS
Generic proxying, one layer below HTTP proxies - it doesn't understand HTTP at all, it just relays raw TCP (or UDP), which is why SOCKS proxies can tunnel arbitrary protocols, not just web traffic.
Ports 1433 / 1521 - Microsoft SQL Server / Oracle
Two of the biggest names in commercial relational databases, each with its own IANA-registered default, and each still overwhelmingly the number you'll see in
Comments
No comments yet. Start the discussion.