Port Numbers, In Order: Why the List Has Gaps, and the Best Stories Behind the Numbers
Every TCP or UDP connection you've ever made rides on a 16-bit number between 0 and 65535. That range isn't handed out randomly — it's split into three tiers by convention, policed in part by an actual root-permission check inside the kernel, and dotted with numbers that were picked for reasons ranging from "it was between two other protocols" to "an inside joke about an Italian TV personality." This post walks the range in order, low to high, and stops at every port that has a story worth telling.
Why 16 bits, and why three tiers
A port number is a 16-bit field in the TCP and UDP headers, which is why the ceiling is 65535 (2^16 − 1) and not some rounder number. IANA (the Internet Assigned Numbers Authority) splits that space into three ranges, formalized in RFC 6335:
| Range | Name | What it's for |
|---|---|---|
| 0–1023 | Well-Known / System Ports | Core, long-established protocols (HTTP, SSH, DNS, SMTP...) |
| 1024–49151 | Registered Ports | Vendor and application ports (MySQL, Redis, RDP, Minecraft...) |
| 49152–65535 | Dynamic / Private Ports | Ephemeral, client-side, assigned on the fly — never registered |
The boundary between the first two tiers isn't just a naming convention — on Unix-family systems it's an actual permission check. Since 4.1c BSD, the kernel has refused to let a non-root process bind() to any port under 1024 (IPPORT_RESERVED). The original motivation wasn't really about protecting well-known services in general — it was specifically about rlogin and rshd, which used the client's source port as a crude authentication signal ("this connection came from a privileged process on a trusted host, so I'll trust it"). If any user could bind to a low port, that signal was worthless. The rule stuck around long after rlogin itself became a security joke, and it's why, to this day, running a plain python -m http.server 80 without sudo or a capability grant (CAP_NET_BIND_SERVICE) fails on Linux and macOS.
With that framing, here's the walk through the range.
The Well-Known range (0–1023): the ports that came first
Port 0 — reserved, and not quite unused
Port 0 is technically valid in the header format but isn't meant to be a real destination. In practice it means "let the OS pick" — if you bind() a socket to port 0, the kernel assigns you a free ephemeral port instead. It's also the one port number that shows up in unusual scanning and OS-fingerprinting traffic on the open internet, because a packet addressed to port 0 forces certain stacks to respond in ways that leak information about the OS — researchers have published entire papers on nothing but traffic seen on port 0.
Ports 7, 9, 13, 19 — the "network utility" protocols nobody runs anymore
These four are some of the oldest port assignments on the internet, all specified in early-1980s RFCs, and all built to be trivially simple:
- Echo (7) — sends back whatever you sent it.
- Discard (9) — silently eats whatever you send it.
- Daytime (13) — replies with the current date and time as plain text.
- Chargen (19), Character Generator — replies with an endless stream of test characters.
They were genuinely useful in the 1980s for testing whether a link was alive. Today they're a textbook example of why some ports are still assigned but essentially dead: nobody disabled or reassigned them, but running the UDP version of chargen or echo on the open internet is now a textbook DDoS amplification vector — you spoof the victim's address as the source, send a tiny request, and the service floods the victim with a reply many times larger than the request. Most operating systems disable these services by default now, but the port numbers themselves were never taken back.
Ports 20/21 — FTP
Port 21 is the control channel (commands, logins); port 20 is the classic active-mode data channel. FTP predates HTTP by over a decade and its two-port, active/passive-mode split is the reason firewall configuration for FTP is still a recurring headache today.
Port 22 — SSH, and the most well-documented "why this number" story in the list
In 1995, Tatu Ylönen, then a researcher at Helsinki University of Technology, built the first version of SSH after a password-sniffing attack hit his university's network. He designed it as a drop-in replacement for telnet and the Berkeley r-commands (rlogin, rsh), and when it came time to register a port with IANA, he simply asked for 22 — because it sat conveniently between FTP's 21 and Telnet's 23. According to Ylönen's own account, IANA's Joyce K. Reynolds (who co-authored several of the RFCs defining Telnet, FTP, and POP) emailed back the very next day confirming the assignment. There's no deeper logic to 22 beyond "it was free and it fit between the two protocols SSH was meant to obsolete."
Port 23 — Telnet
The protocol SSH was built to replace: plaintext remote login, still occasionally found wide open on ancient network gear and IoT devices, which is exactly why it remains a favorite first-scan target for botnets like Mirai.
Port 25 — SMTP
Outbound mail relay between servers. Note this is server-to-server relay — the reason your email client doesn't use 25 directly is covered further down (587).
Port 37 — Time Protocol
A blunter cousin of NTP (port 123, below): it returns the number of seconds since January 1, 1900, in a fixed 32-bit field. That fixed-width field overflows in 2036 — a smaller-scale cousin of the Year 2038 problem baked into 32-bit Unix timestamps.
Port 43 — WHOIS
Plain-text domain and IP registration lookups. Notably one of the few well-known protocols with essentially no encryption story even in 2026 — WHOIS over TLS exists but isn't the default anywhere.
Port 53 — DNS
Arguably the single most load-bearing port on the internet: name resolution. It's also unusual in using both UDP (for the common case) and TCP (for zone transfers and responses too large for a single UDP packet).
Ports 67/68 — DHCP
Server and client, respectively. Split into two ports because DHCP has to work before the client has an IP address — broadcast-based negotiation doesn't fit a normal client-picks-an-ephemeral-port model.
Port 69 — TFTP
Trivial File Transfer Protocol — no authentication, no directory listing, barely a protocol at all by modern standards. Still alive today almost exclusively for network booting (PXE) and pushing firmware to routers and switches.
Port 70 — Gopher
A pre-web hypertext protocol, briefly a real competitor to HTTP in the early 1990s. This is the clearest "protocol lost the race" entry in the well-known range: Gopher didn't get deprecated by IANA, it just lost its users to the web, and port 70 has sat there, technically assigned and functionally empty, for three decades. (There's a small nostalgia revival among hobbyists running Gopher servers today, purely for fun.)
Port 79 — Finger
Looked up whether a user was logged into a remote Unix system and what they were doing. Killed off almost everywhere by the 1990s once people realized broadcasting "who's logged in right now, from where" to anyone who asked was a security and privacy problem.
Port 80 — HTTP
The web. No real mystery here — it was simply the next convenient low number available when Tim Berners-Lee's team registered HTTP, and its ubiquity today is entirely a function of the web's success, not anything special about the number 80 itself.
Port 88 — Kerberos
Network authentication protocol, still the backbone of Active Directory logins today. 88 has no deeper meaning that's documented anywhere — just an assigned number from the same era as the rest of this range.
Port 110 — POP3, Port 143 — IMAP
The two competing designs for "how does a mail client fetch messages from a server." POP3 assumes the client downloads and typically deletes from the server; IMAP assumes the server is the source of truth and the client is just a window into it — which is why IMAP won out as multi-device email became the norm.
Port 119 — NNTP
Usenet news. If you've never used Usenet, this is the one well-known-range protocol most likely to be genuinely unfamiliar rather than just "the thing that lost to something newer" — it's still alive in niche communities and binary-file circles, just entirely outside mainstream awareness.
Port 123 — NTP
Network Time Protocol. Notorious in security circles for the same amplification problem as chargen: NTP's monlist command (which lists the last 600 machines that queried a server) could be abused to reflect a small request into a massive reply aimed at a spoofed victim — one of the largest DDoS techniques of the mid-2010s until server operators disabled monlist broadly.
Port 161/162 — SNMP
Network device monitoring and management (the second port is specifically for asynchronous "trap" notifications from devices, rather than polled queries).
Port 179 — BGP
The protocol that quite literally holds the internet's routing table together between autonomous systems. Unlike almost everything else on this list, BGP runs over TCP rather than UDP, because route announcements need reliable, ordered delivery.
Port 194 — IRC (the "official" one nobody uses)
This is one of the more interesting quiet mismatches in the whole list: IRC's IANA-registered port is 194, but almost no IRC network has ever actually used it in practice — the overwhelming real-world convention has always been 6667 (and its encrypted sibling 6697), both in the registered, not well-known, range. 194 is a well-known-range port that's correctly assigned on paper and essentially never seen live on the wire.
Port 389 — LDAP
Directory services (user/group lookups for corporate networks). Its encrypted counterpart on 636 lives in the registered range rather than sharing this section — a small inconsistency in how "the same protocol, encrypted" got assigned across the two tiers over time.
Port 443 — HTTPS
HTTP layered over TLS. If port 80 owes its ubiquity purely to the web's success, 443 owes its modern dominance to a deliberate industry-wide push (Let's Encrypt, browser "not secure" warnings, HTTP/2 and HTTP/3 requiring TLS in practice) that turned "encrypted by default" from a minority practice into the default expectation within about a decade.
Port 445 — SMB
Windows file and printer sharing, direct over TCP (bypassing the older, clunkier NetBIOS-over-TCP setup on ports 137–139). This is also one of the most consequential ports in modern security history: it's the port EternalBlue exploited, and the resulting worm — WannaCry, in May 2017 — spread through exposed SMB shares to hit hundreds of thousands of machines across roughly 150 countries in a single weekend.
Ports 465 / 587 — the SMTP submission split
This pair explains something a lot of people configure without ever asking why: 25 is for server-to-server relay, but mail clients submitting a new message are supposed to use 587 (authenticated "submission," standardized to stop 25 from being wide open to anyone), or 465 for submission wrapped directly in TLS. Many residential and mobile ISPs block outbound 25 entirely today specifically to choke off spam-sending malware — which is a large part of why 587/465 exist as a separate, authenticated front door.
Port 514 — Syslog
Centralized log shipping, still the lingua franca that most log aggregation pipelines (including a fair number of AWS and other cloud logging setups) can ingest even when everything else about the stack is modern.
Ports 993 / 995 — IMAPS / POP3S
The encrypted counterparts to 143 and 110, again assigned decades after the plaintext originals as TLS became standard practice for mail retrieval.
So why does the well-known range look like it has gaps?
If you scan through 0–1023 expecting a dense, fully-explained list, it looks patchy: there are stretches with nothing well-known at all, and the numbers that are assigned skew heavily toward protocols from the 1980s and early 1990s. Three separate reasons produce that pattern, and they're worth telling apart because they're not the same thing:
- IANA doesn't reclaim and reissue numbers. Once a number is assigned to a protocol, it isn't handed to a new one just because the old protocol died — which is why Gopher (70) and Finger (79) still technically own their numbers decades after losing all relevance. This avoids the much worse problem of old documentation, firewalls, and scripts silently referring to the wrong service.
- Plenty of "assigned" ports were never widely deployed at all. Not every registered well-known port became a household name — some were requested, reserved, and then the protocol behind them simply never took off the way HTTP or SSH did.
-
Deliberate deprecation on security grounds.
chargen,echo,finger, and unencryptedtelnetweren't removed from the registry — they were removed from default configurations and firewalls, one operating system release at a time, once their risk (amplification abuse, credential sniffing, information leakage) outweighed their 1980s-era usefulness.
None of this is a gap in the numbering — it's a gap in active usage, which is a completely different thing, and it's the single most common misreading of a port list.
The Registered range (1024–49151): where the modern software world lives
This tier is enormous — over 48,000 numbers — and IANA registration here is far looser than in the well-known range: mostly first-come-first-served, project-by-project, which is exactly why the registered range is where you find the best "why this specific number" stories. Walking it roughly in order of how often you'd actually encounter each one in practice:
Port 1080 — SOCKS
Generic proxying, one layer below HTTP proxies — it doesn't understand HTTP at all, it just relays raw TCP (or UDP), which is why SOCKS proxies can tunnel arbitrary protocols, not just web traffic.
Ports 1433 / 1521 — Microsoft SQL Server / Oracle
Two of the biggest names in commercial relational databases, each with its own IANA-registered default, and each still overwhelmingly the number you'll see in a connection string today even though both databases support changing it.
Port 1723 — PPTP
Microsoft's early VPN protocol. Still shows up in legacy configs, but its encryption has been considered broken for so long that most modern guides list it purely as "do not use this."
Port 2049 — NFS
Network File System, Unix's answer to "mount a remote disk as if it were local," dating back to Sun Microsystems in the 1980s and still the default choice for shared storage on a lot of on-prem Linux infrastructure.
Port 3000 — the "generic dev server" default
Not officially registered to any one thing — it became a de facto convention because Ruby on Rails' original development server picked it early on, and enough of the following generation of web frameworks (Node/Express tutorials among them) copied the convention that "port 3000" now reads as "someone's local dev server" almost by reflex, independent of what's actually running there.
Port 3306 — MySQL
One of the most-asked "why this number" questions in this entire list — and the honest answer, based on everything documented about MySQL's history, is that there isn't a documented reason. MySQL (created by Michael "Monty" Widenius and David Axmark, first released in 1995) simply registered 3306 with IANA as an available number in the registered range. Compare this to SSH's port 22: one has a specific, sourced anecdote behind it; the other is a number that just happened to be free when someone asked. Not every port has a story, and that itself is worth knowing before you go looking for one.
Port 3389 — RDP
Windows Remote Desktop Protocol — like SMB's 445, one of the ports most frequently found exposed to the open internet by mistake, and consequently one of the most consistently scanned and brute-forced ports on the entire internet.
Port 4444 — the "default demo port" that became a red flag
No single canonical origin story here, but 4444 has an outsized reputation because it's the long-standing default listener port in Metasploit for reverse shells, which means in any security-monitoring context, an unexpected outbound connection on 4444 is treated as close to a de facto malware signature — a rare case of a number's reputation mattering more than its registration.
Port 5000 — Flask, UPnP, and a genuinely modern conflict story
For years this was simply "the Flask default." Then Apple shipped AirPlay Receiver as a built-in macOS feature starting with Monterey (2021), and AirPlay Receiver claims port 5000 (and 7000) by default on the Mac — which meant a huge number of Python developers on Apple hardware quietly started seeing broken connections or blank pages where their local Flask app used to be, with no code change on their end at all. It's a rare example of two completely unrelated software ecosystems (a 2010s Python microframework and a mid-2020s Apple streaming feature) colliding over the exact same registered port purely by coincidence, and it's why current Flask guidance for Mac users increasingly nudges toward 5001 or explicitly disabling AirPlay Receiver.
Port 5432 — PostgreSQL
Postgres's registered default, notable mostly for being one of the few major-database ports that essentially never collides with anything else in common use, unlike MySQL's 3306 (frequently shared with MariaDB, which is API/port-compatible by design) or 5000's AirPlay mess above.
Port 5900 — VNC
Remote desktop / screen sharing, predating RDP by several years and still the base protocol several remote-support tools build on top of.
Port 6379 — Redis, and the best origin story in this entire post
In 2007, Salvatore Sanfilippo (known as "antirez") was running a small startup and needed a port for the database he was building. He and his friends had a long-running inside joke, coined after watching Italian TV personality Alessia Merz make amusingly hollow-sounding comments on air: they called something "merz" when it looked silly on the surface but had real depth underneath — which is exactly how an all-in-memory database sounded to a lot of people in 2007, before it became one of the most widely deployed pieces of infrastructure on the internet. On a phone keypad, the digits 6-3-7-9 spell M-E-R-Z. He picked the port for the joke, and the joke turned out to describe the project uncannily well.
Ports 6666 / 6667 (and 6697) — IRC, for real this time
As mentioned above under port 194, this is where IRC actually lives in practice — 6667 plaintext, 6697 for TLS — a registered-range convention so much stronger than IRC's own well-known-range assignment that most IRC documentation doesn't even mention 194.
Ports 8000 / 8080 / 8443 / 8888 — the "alt-HTTP" family
8080 is officially registered with IANA as http-alt. Its popularity as the alternate HTTP port is generally attributed to a mix of practical and mnemonic reasons rather than one clean origin story: it doesn't require root privileges the way port 80 does, and "8080" reads as "80, doubled" — an easy pattern for a developer to remember and type. Apache Tomcat adopted it as its default decades ago, the wider Java ecosystem (and later Jenkins) followed, and the convention was essentially locked in. 8443 is the equally common alt-HTTPS counterpart, 8000 shows up constantly in Python and Django tutorials, and 8888 is the default for Jupyter Notebook — none of the four hold a hard technical claim to the number, they're all just conventions that stuck.
Port 9000 — PHP-FPM, SonarQube, Portainer, and a genuinely crowded number
Unlike most entries here, 9000 doesn't have one dominant identity — it's a recurring collision point where multiple, unrelated pieces of infrastructure independently picked the same "nice round number in the 9000s" convention, which makes it one of the more common real-world port conflicts developers hit when running several dev tools on one machine.
Port 9090 — Prometheus, Port 9200 — Elasticsearch, Port 9042 — Cassandra
Three of the most common ports you'll see in a modern observability or data-platform stack, all in the same "round-number-in-the-9000s" family as 9000 above, all registered independently by their respective projects with no shared reasoning between them.
Port 11211 — Memcached
An unusually specific-looking number for what is, again, just a registered choice with no documented deeper meaning — notable mostly because for years, misconfigured Memcached servers left open to the internet became one of the most powerful DDoS amplification vectors ever measured, with amplification factors reported in the tens of thousands to one, dwarfing even the NTP and chargen issues mentioned earlier.
Port 25565 — Minecraft
Genuinely one of the most-asked "why this number" questions on the entire internet, and the honest, sourced answer is: there isn't a documented reason. Notch picked a number above the well-known range (correctly avoiding 0–1023) and it wasn't already in wide use — beyond that, no interview or changelog spells out anything more specific. It's the MySQL-3306 pattern again: an enormous, globally recognized number with zero folklore behind it, which is itself worth knowing so you don't repeat an invented explanation as fact.
Port 27015 — Source engine games (Steam)
Valve's default for Source-engine game servers (Counter-Strike, Team Fortress 2, and others), plus Steam's own matchmaking and server-browser traffic — one of the rare entries here shared across an entire commercial game engine rather than a single product.
Port 27017 — MongoDB
Same story as 3306 and 25565: a registered, uncontroversial, globally recognized default with no documented origin story beyond "it was available." Three of the most-searched port numbers on the internet — 3306, 25565, 27017 — all resolve to the same anticlimactic answer, and that pattern is itself the more useful thing to take away than any single invented explanation would be.
Port 31337 — "eleet," and the one entry that's a joke on purpose
In leetspeak, 31337 reads as "eleet" → "elite." The Cult of the Dead Cow's Back Orifice, a remote-access tool unveiled at DEF CON in August 1998, used 31337 as its default listening port, cementing the number's identity in security folklore for good. Unlike Redis's 6379 (a private joke that happened to end up in mainstream production infrastructure) or Minecraft's 25565 (no story at all), 31337 is a joke that was meant to be recognized by the audience it was aimed at — hacker culture — from day one. Today, seeing 31337 in a firewall log is treated by most security tooling as close to an automatic red flag, precisely because almost nothing legitimate has a reason to use it.
The Dynamic / Private range (49152–65535): the ports you never register
The top of the range is deliberately the opposite of everything above it: IANA explicitly will not register assignments here. These are ephemeral ports — the source port your OS picks automatically every time your browser, phone, or CLI tool opens an outbound connection. When you connect to https://example.com:443, the destination is the well-known port 443, but your own machine is simultaneously using some throwaway number up here as the source port for that specific connection, discarded the moment the connection closes. Different operating systems don't even agree on exactly where this range starts in practice — Linux's default ephemeral range (net.ipv4.ip_local_port_range) commonly starts lower than IANA's official 49152 floor — which is a small, telling reminder that IANA's three-tier split is a convention major implementations mostly, but not perfectly, follow.
Wrapping up: the pattern behind the numbers
Walking the full range in order surfaces a small number of repeating patterns, and once you can name them, "why is this the port number" stops being one mystery and becomes a short multiple-choice question:
- It's a real, documented historical decision. SSH's 22 (between FTP and Telnet), Redis's 6379 (a phone-keypad inside joke), and 31337 (deliberate leetspeak) are all genuinely sourced stories, not folklore.
- It's a convention that won by adoption, not by any special property of the number. 8080 as "80 doubled," 3000 as "whatever Rails used first," Jupyter's 8888 — these stuck because enough tools copied the first mover, not because IANA or anyone else declared them special.
- There's no story, and that's the correct answer. 3306, 25565, and 27017 are three of the most globally recognized port numbers in software, and all three trace back to nothing more than "it was available when we registered it." Resist the urge to backfill a clean explanation where the honest one is "arbitrary."
-
The number looks empty because usage died, not because the assignment did. Gopher (70), Finger (79), and the
chargen/echofamily (19/7) are still technically assigned; they're just no longer running anywhere that matters, mostly for reasons ranging from "lost to a better protocol" to "became a DDoS liability."
None of that requires memorizing all 65536 numbers — it just means the next time a port number looks arbitrary, patchy, or oddly specific, there's a decent chance it's exactly one of these four things, and now you know which question to ask.
References
- How SSH got to be on port 22 — APNIC Blog
- The (uncomplicated) story of getting SSH port 22, from its author
- The origin of Redis port 6379 / Redis Watch trivia archive
- Back Orifice — Wikipedia
- RFC 6335 — IANA Procedures for Port Number Management
- Reserved: Dissecting Internet Traffic on Port 0 (arXiv)
- AirPlay Receiver can interfere with Flask apps — alexwlchan
- Chris's Wiki: BSD r-commands and privileged ports
Port ranges and registrations referenced here follow IANA's current service name and port number registry; a handful of long-tail "why this number" claims (Minecraft's 25565, MongoDB's 27017, Rails' 3000-as-convention) have no official documented origin beyond community consensus, and are called out as such rather than presented as sourced history.
Top comments (0)