Port Basics Encyclopedia and common port controls

Source: Internet
Author: User
Tags ftp ssh firewall

Port Basics Encyclopedia + common Port Control

Port Basics Encyclopedia of Knowledge

1) Accepted ports (well known Ports): from 0 to 1023, they are tightly bound to some services. Usually the communication of these ports clearly indicates the protocol of some kind of service. For example: Port 80 is actually always HTTP traffic.

2 registration port (registered Ports): from 1024 to 49151. They are loosely bound to some services. This means that there are many services that are bound to these ports and are used for many other purposes. For example, many systems handle dynamic ports starting at around 1024.

3 dynamic and/or private ports (dynamically and/or private Ports): from 49152 to 65535. In theory, these ports should not be assigned to services. In fact, machines typically allocate dynamic ports from 1024. But there are exceptions: Sun's RPC port starts at 32768.

This section describes the information that typically TCP/UDP ports are scanned in the firewall record. Remember: There is no ICMP port. If you are interested in interpreting ICMP data, see the other parts of this article.

0 is typically used to analyze the operating system. This approach works because "0" is an invalid port in some systems and will produce different results when you try to connect to it using a common closed port. A typical scan: Use an IP address of 0.0.0.0 to set the ACK bit and broadcast on the Ethernet layer.

1 Tcpmux This shows someone looking for the Sgiirix machine. IRIX is the primary provider of implementation Tcpmux, and Tcpmux is opened in this system by default. The Iris Machine is released with several default password-free accounts, such as Lp,guest, UUCP, NUUCP, demos, tutor, Diag, Ezsetup, Outofbox, and 4Dgifts. Many administrators forgot to delete these accounts after installation. So hacker search Tcpmux on the Internet and use these accounts.

7 echo You can see the information that many people send to x.x.x.0 and x.x.x.255 when they search for Fraggle amplifiers. A common Dos attack is the Echo loop (Echo-loop), where an attacker forges a message from one machine to another, and two machines respond to the packets in their quickest way. (see Chargen) Another thing is a TCP connection established by DoubleClick on the word port. There is a product called the resonate Global Dispatch, which is connected to the port at this end of DNS to determine the most recent route. Harvest/squid cache will be sent from Port 3130 Udpecho: "If the cache source_ping on option is turned on, it will respond to a hit reply for the UDP Echo port of the original host." "This will produce many such packets.

One sysstat this is a UNIX service that lists all the running processes on the machine and what it is that started these processes. This provides intruders with a lot of information that threatens the safety of the machine, such as exposing certain vulnerabilities or accounts known to the program. This is similar to the result of the "PS" command in UNIX systems: ICMP has no ports, ICMP Port 11 is usually icmptype=1119 Chargen this is a service that only sends characters. The UDP version will respond to packets that contain junk characters after the UDP packet is received. When a TCP connection is sent, the data stream that contains the garbage character is known to be closed. Hacker uses IP spoofing to launch a Dos attack. To forge UDP between two Chargen servers due to server attempts to respond to unlimited round-trip data traffic between two servers a chargen and echo will cause the server to overload. The same Fraggle DOS attack broadcasts a packet of spoofed victim IP to this port on the destination address, and the victim is overloaded in response to the data.

FTP The most common attacker is used to find ways to open the FTP server for "anonymous". These servers have a read-write directory. Hackers or tackers use these servers as a node to transmit warez (private programs) and pr0n (intentionally misspelled words to avoid being sorted by search engines).

Sshpcanywhere the connection between TCP and this port may be to find SSH. There are many weaknesses in this service. Many versions that use the RSAREF library have a number of vulnerabilities if configured to a specific pattern. (It is recommended that you run SSH on a different port) you should also note that the SSH toolkit comes with a program called Ake-ssh-known-hosts. It scans the entire domain for SSH hosts. You are sometimes accidentally scanned by someone using the program. UDP (not TCP) connected to the 5632 port on the other end means there is a scan for the search pcanywhere. The 5632 (16-0x1600) bit is exchanged after the 0x0016 (22 of the system).

A Telnet intruder searches for remote UNIX services. In most cases, intruders scan this port to find the operating system that the machine is running on. In addition to using other techniques, intruders will find the password.

The SMTP attacker (spammer) is looking for an SMTP server to pass their spam. An intruder's account is always closed, and they need to dial up to a high-bandwidth e-mail server to deliver simple information to different addresses. SMTP servers (especially SendMail) are one of the most common ways to get into the system, because they must be fully exposed to the Internet and the routing of Messages is complex (exposed + complex = weakness).

The Dnshacker or crackers may be attempting to perform zone transfer (TCP), spoof DNS (UDP), or hide other traffic. Therefore, firewalls often filter or record port 53. Note that you will often see 53 ports as UDP source ports. Unstable firewalls typically allow this communication and assume that this is a reply to a DNS query. Hacker often use this method to penetrate a firewall.

67 and Bootp/dhcp on BOOTP and DHCPUDP: Firewalls at DSL and Cable-modem often see large numbers of data sent to broadcast address 255.255.255.255. These machines are requesting an address assignment from the DHCP server. Hacker often enter them to assign an address that initiates a large number of "man-in-the-Middle" (man-in-middle) attacks as local routers. The client configures the 68 port (BOOTPS) broadcast request, and the server broadcasts a response request to port 67 (BOOTPC). This response uses the broadcast because the client is unaware of the IP address that can be sent.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.