|
Internet Ports & Port Blocking |
- Network Neutrality - VoIP Blocking Internet Addresses - DNS - History - NTIA & Fed Activity - ICANN - Root Servers - ccTLDs - - .us - - -.kids.us - gTLDs - - .gov - - .edu - - .mil - - .xxx - WHOIS - WGIG - ENUM - IP Numbers - - IPv6 - BGP - NATs - Ports - Security - Trademark - AntiCybersquatter Consumer Protection Act - Gripe Sites - Truth in Domain Names |
Ports
Hosts (computers, end users) on the Internet are addressed with IP number addresses.
A particular host may be running multiple applications and multiple sessions. The specific session or application that the computer should deliver the packet to is identified by a port number. [RFC 793 Sec. 2.7 ("To identify the separate data streams that a TCP may handle, the TCP provides a port identifier.")] [RFC 6335 Sec. 3 ("Ports serve two purposes: first, they provide a demultiplexing identifier to differentiate transport sessions between the same pair of endpoints, and second, they may also identify the application protocol and associated service to which processes connect.")]
The destination port number and the source port number are part of the transport protocol header in the Transmission Control Protocol, User Datagram Protocol, or equivalent. [RFC 6335] [BITAG 2.2]
The combination of port numbers and IP addresses will uniquely identify a "session." [RFC 6335 Sec. 3 ("Ports are 16-bit numbers, and the combination of source and destination port numbers together with the IP addresses of the communicating end systems uniquely identifies a session of a given transport protocol.")] [BITAG 2.2 ("In the architecture of the Internet, communication between two systems is identified by five fields: (1) the source IP address, (2) the destination IP address, (3) the transport protocol in use, (4) the source port, and (5) the destination port used by the transport protocol")]
Different applications are assigned different port numbers. These numbers are assigned by IANA Internet Port Number Assignments IANA. [RFC 6335]
There are several different ranges of port numbers: [RFC 6335 Sec. 6] [BITAG 2.2]
- System Ports or Well Known Ports: 0-1023 (assigned by IANA)
- User Ports or Registered Ports: 1024-49151 (assigned by IANA)
- Dynamic Ports or Private Ports: 49152-65535 (unassigned)
An application or service may be "port-agile," with the ability to switch the ports that the service utilizes (where services are port-agile and able to switch utilization of port numbers, the effectiveness of port blocking may be limited).
Example
Joe wants to view a webpage. Webservers listen on the Well Known Port 80. Joe will therefore send a request to the IP address of the webserver with the port number of 80. The webserver needs to know how to respond. Joe will provide a source IP address of his computer along with a Dynamic Port number in order to uniquely identify session. For example, Joe's computer may pick the Dynamic Port Number 37277. Receiving this request from Joe, the webserver will reply, using Joe's IP address as the destination IP address and 37277 as the destination port number. Each session and each user will be identified by unique IP addresses (unique to the specific host) and unique port numbers (unique to the service or session on the computer). [BITAG 2.2]
Port Blocking
Traffic Management
Traffic can be managed in several different ways, using targeted information from an Internet packet.
Traffic can be managed using the source or destination IP address, the source or destination port number, the Internet protocol version, or...... Traffic can also be managed either through refusing to interconnect or refusing to augment interconnection capacity, thereby creating congestion and effectively blocking traffic.
The network operator can manage the traffic by blocking (a.k.a. filtering) it, redirecting it, changing its priority, changing its routing, or other. This discussion will focus on blocking, but other techniques are viable as well.
"Port blocking allows an application to prevent other applications from performing specific binds to the ports within a specified range. " Microsoft Technet Windows TCP/IP Ephemeral, Reserved, and Blocked Port Behavior
Incentives
Network Operators may have the incentive to manage their network. They may wish to block malicious and damaging traffic. They may have the incentive to block unwanted traffic over their network, including traffic which competes with the network's other services (for example, OTT VoIP competing with the network service providers telephone service, or OTT Video competing with the network service providers MVPD Cable Video service). In effect, Network Service Providers have an incentive to create barriers to market entry to rival competing services.
However, generally, demand for OTT applications drives demand for broadband services (see virtuous circle); blocking OTT applications degrades demand for broadband services.
End Users may have the incentive to know what applications and services they can use over their Internet access. They also may have the incentive to be protected from malicious traffic.
Application Service Providers have an incentive to know what resources are available on different networks, in order to know whether their applications will work, how to engineer their applications, and whether their investments in their services will produce a ROI.
Regulators have the incentive to promote the delivery of communications services to consumers. In post-liberalization policy, it is accepted that consumer welfare is achieved best through a competitive services market. Blocking ports in order to block competitive services, creating barriers to market entry, therefore is contrary to a policy that is seeking to achieve consumer welfare through competitive entrants. Further, as seen with the Computer Inquiries, the regulator sees its mission as ensuring that the communications infrastructure supports the needs and demands of the end users; a network frustrating end users by denying their use of desired applications and services is therefore contrary to that mission.
Ability: Port Blocking
Blocking a port may degrade the performance of applications and services to which that port is assigned. The impact of the port blocking depends upon which ports are blocked, the application or service, and location of the port blocking.
Some service providers offer end-users the ability to opt-out of having ports blocked on their network service.
A number of typically blocked ports and the reason that they are blocked are listed below.
The magnitude of the ability of a network service provider to achieve its incentives through port blocking depends in part on the degree to which the network is a terminating monopoly and the value of its network effect (the size of its customer base).
Location of Port Blocking
Ports are part of TCP or UDP. [RFC 793 Sec. 2.1] Processing of ports can be done at the router.
Port blocking is typically implemented at
- The border router where the network interconnects with other networks;
- Pros:
- Potentially keeps malicious traffic from entering network
- Easier to administer
- Con: Does not keep customers of that network from sending traffic to each other
- The aggregation router where the network provides access to end users; or
- The end users CPE
- Cons: More difficult to administer; end user may be operating their own CPE
VoIP Port Blocking
Detection of Port Blocking
See also Statistics | Assessment | Forensics
- Treachery Unlimited Port Lookup Search Results
- Port Authority Database (probe individual ports)
- Mantid : Web-Based Discriminatory Port Blocking Measurement, MIT
- Netalyzer
- Port Lookup Utility , Treachery Unlimited (look up what vulnerabilities are associated with different ports)
- Port monitoring Internet Storm Center (replace the number in the URL with the port you want to see a graph for)
Disclosure of Port Blocking
Port Assignment Table
Port | Assignment | Blocked (reason blocked) |
20 | FTP |
|
23 | Telnet |
|
25 | SMTP |
|
42 | ||
69 | TFTP |
|
80 | HTTP |
|
111 | SUNRPC |
|
135 | NetBIOS |
|
136 | NetBIOS |
|
137 | NetBIOS |
|
138 | NetBIOS |
|
139 | NetBIOS |
|
161 | SNMP |
|
162 | SNMPTRAP |
|
445 | Microsoft-DS |
|
515 |
|
|
593 |
|
|
1034 |
|
|
1035 |
|
|
1433 | MS-SQL |
|
1434 | MSSQL |
|
1900 | MS-DS/NetBios |
|
2002 | Cisco Secure Access Control Server |
|
2048 | CISCO IOS Webcache |
|
2090 |
|
|
2091 |
|
|
2745 |
|
|
3127 |
|
|
4156 |
|
|
4444 |
|
|
5000 |
|
|
5060 | SIP |
|
5554 |
|
|
6346 |
|
|
6777 |
|
|
6801 |
|
|
6802 |
|
|
6803 |
|
|
8040 |
|
|
8998 |
|
|
9900 |
|
|
9901 |
|
|
9996 |
|
|
10080 |
|
|
12080 |
|
|
12120 |
|
|
12122 |
|
|
22555 |
|
|
26133 |
|
|
27374 |
|
|
30582 |
|
|
35061 |
|
|
38000 |
|
|
38100 |
|
|
38200 |
|
|
41170 |
|
|
47563 |
|
|
48310 |
|
|
51200 |
|
|
51201 |
|
|
56464 |
|
|
57375 |
|
|
© Cybertelecom ::Documents
- Broadband Internet Technical Advisory Group (BITAG), Port Blocking (2013),
- IETF
- M. Cotton, L. Eggert, J. Touch, M. Westerlund, S. Cheshire, Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry, IETF Request for Comments: 6335, August 2011 ISSN: 2070-1721
- Transmission Control Protocol, RFC 793 Sept. 1981
- J Postel, NWG RFC 349, Proposed Standard Socket Numbers (May 30, 1972) ("I propose that there be a czar (me ?) who hands out official socket numbers for use by standard protocols. This czar should also keep track of and publish a list of those socket numbers where host specific services can be obtained.")
- Beverly R., Bauer S., Berger A. (2007) The Internet Is Not a Big Truck: Toward Quantifying Network Neutrality. In: Uhlig S., Papagiannaki K., Bonaventure O. (eds) Passive and Active Network Measurement. PAM 2007. Lecture Notes in Computer Science, vol 4427. Springer, Berlin, Heidelberg
Links
- Arbor Atlas Summary Report: Global Scans (summary of port scans that are taking place)
- Trojan List Sorted on Trojan Port Simovitz
- Microsoft Technet How to block specific network protocols and ports by using IPSec
- SANS Institute - Intrusion Detection FAQ: What Port Numbers do well-known Trojan horses use ?
Network Ports Policies
- Network access disabled by the University (Internet and port blocks) , Yale University ITS (list of blocked ports is password protected)
- BYU IT Blocked Ports (lots)
- " All Internet ports not needed for Internet browsing and simple email communications are blocked. " - Community Wireless Internet Town of Amherst , Massachusetts