Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Well Known Ports

Training Camp • Cybersecurity Glossary

What is Well Known Ports?

TCP/UDP ports 0-1023, reserved by IANA for core services like HTTP (80), HTTPS (443), SSH (22), and assigned under RFC 6335.

Glossary > Network Security > Well Known Ports

Well Known Ports — TCP/UDP ports 0-1023

Understanding Well Known Ports

Well-known ports are the TCP and UDP port numbers in the range 0 through 1023, reserved by the Internet Assigned Numbers Authority (IANA) for core, standardized network services. Assigning fixed numbers to common protocols, such as HTTP on 80, HTTPS on 443, SSH on 22, and FTP on 21, lets clients reliably reach the right service on any host without prior negotiation.

These assignments are maintained in the IANA Service Name and Transport Protocol Port Number Registry, governed by RFC 6335. They sit below the registered ports (1024 to 49151) and the dynamic/ephemeral ports (49152 to 65535). On Unix-like systems, binding a service to a well-known port traditionally requires elevated privileges, a control meant to prevent unprivileged users from impersonating trusted services.

Well-known ports matter for security because they are both predictable and high-value, making them prime targets for scanning and attack. Defenders harden them by closing unneeded services, restricting access with firewall rules and ACLs, enforcing TLS on services that support it, and monitoring for anomalous traffic. Attackers, conversely, probe these ports first and sometimes run malicious services on standard ports to blend in, or run legitimate services on nonstandard ports to evade naive controls, so monitoring should not assume a port number guarantees the expected protocol.

For example, an enterprise hardens an internet-facing server by allowing inbound traffic only on TCP 443 for HTTPS and disabling the cleartext HTTP listener on port 80 except for redirects. It blocks all other well-known ports at the firewall, disables unused services like Telnet on port 23, and runs periodic port scans to confirm no unexpected service has appeared on a low port. Continuous monitoring then flags if, say, traffic on port 443 stops looking like TLS, catching an attacker tunneling another protocol through an allowed well-known port.

Learn More About Well Known Ports:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →