What are ephemeral ports?

Ports are used for sending and receiving data between devices, same like how ships use ports to send and receive goods. Now ephemeral ports are temporary ports that are used to send/recieve data. 

For commonly used services ports have port numbers associated for them for example SSH is port number 22, HTTPS is 443, similarly most of the common services uses dedicated ports to run and use. 

Now take an example you would like to use SSH. SSH runs on port 22. Lets consider

Your system as A

SSH system as B

You know you need to connect to SSH and using Putty or any other SSH client to connect to SSH system. Which port is your system needs to use?

‘A’ system needs a port to connect, this is where ephemeral ports come into play. ‘A’ system requests for a ephemeral port from OS to use and OS provides it the temporary port to use it for that session. This is completely random but the range of ports to be used are predefined based on your OS. 

Linux – 32768-60999

Windows – 49152 – 65535

MacOS – 49152 – 65535

FreeBSD – 10000 – 65535

Ephemeral ports allow multiple client applications to establish parallel connections without any interference. Once the session is completed, those ports can be used by any other applications. 

Behaviours of ephemeral ports

Even though theoretically ephemeral ports are chosen randomly, we can notice the pattern in which they are assigned. There is also study on how long usually ports are active. 

Some study statements of patterns of assigning ephemeral ports

For specific services like Oracle database service the default ephemeral port is assigned is 1521 similarly 4000 for QQ which is a popular IM of China. This is done to bring relative stability by vendors. 

One way circulation pattern where the system allocated free ports in the order(ex – ascending) even though the port allocated is free. For example port 4000 to 4100 as been assigned to few services and new service requested for a port, few services closed the connection and even though the ports are available in between 4000-4100, the system allocates ports after 4100 and completes the circulation. This is very interesting. 

Another pattern of ephemeral ports is the short interval, according to studies most systems use only 2-62 ports actively. 

Another pattern identified is more than 70% ports keep active less than one minute and more than 90% ports keep active less than three minutes

One of the things I am interested to see is to observe the pattern of ephemeral ports used in your organization and build an application to detect anomalies. For example all systems are using port 6129 but all the systems are using it less than a minute but if any system is using it for more than a minute then it can be suspicious. Organisations can build these applications to identify exploitation or reduce impact post-exploitation.