ThreatFoundacademy
Network Security & Defense
Network Security & Defense

TCP/IP & the ports that matter

The model under everything, and the services attackers look for first.

8 min read

Every attack eventually rides on TCP/IP. You don’t need to memorise RFCs, but you must know how hosts find each other and how services are exposed.

The layers, briefly

  • IP — addressing and routing between hosts.
  • TCP — reliable, ordered, connection-oriented; uses ports to multiplex services.
  • UDP — fast, connectionless (DNS, QUIC, some VPNs).

Ports attackers check first

  • 22 SSH · 80/443 HTTP(S) · 3389 RDP · 445 SMB · 3306 MySQL · 5432 Postgres · 6379 Redis · 27017 MongoDB.
  • Databases and caches exposed to the internet with no auth are a recurring, severe finding.
nmap -sV -Pn target.com        # service + version detection
nmap -p 6379 --open 10.0.0.0/24 # find exposed Redis on a subnet

Port scanning is intrusive and noisy. Only scan hosts you own or that are explicitly in an authorised scope.

Defense

Expose the minimum: bind services to localhost where possible, firewall default-deny, segment networks, and require auth + TLS on everything that must be reachable.