Port 999 sits in the well-known ports range (0-1023), the space reserved by IANA for fundamental Internet services. Ports like 80 (HTTP), 443 (HTTPS), and 22 (SSH) live here—protocols that billions of people depend on every day.
Port 999 is not one of those ports.
What's Officially Assigned
According to IANA, port 999 is assigned to three services:
- garcon (TCP)
- applix (UDP)
- puprouter (TCP/UDP)
These assignments date back to at least 1992, documented in RFC 1340.1 But if you search for documentation about what these protocols actually do, you'll find almost nothing. Applix appears to be related to Mac OS X RPC-based services like NetInfo.2 Garcon and puprouter remain mysteries—assigned but essentially unused.
This is the reality of the well-known ports range. Not every number got assigned to something essential. Some were claimed by services that never became widespread, leaving assigned but dormant ports scattered across the landscape.
What Security Teams Remember
If you mention port 999 to someone who worked in network security in the early 2000s, they won't think of garcon or puprouter. They'll think of DeepThroat.
DeepThroat was a remote access trojan—a full-featured backdoor that gave attackers almost complete control over infected Windows machines. It could log keystrokes, steal passwords, manipulate windows, open CD-ROM drives, capture screenshots, and more.3
Port 999 was used for DeepThroat's keyboard logger functionality.4 When security tools detected something listening on port 999, it was rarely garcon. It was usually a compromised machine with a keylogger running.
This is port 999's actual legacy—not as a home for legitimate protocols, but as a number that showed up in security alerts.
Why Unassigned Ports Matter
Port 999 raises an interesting question: what happens when a well-known port gets assigned to a service that never takes off?
The port sits there, officially claimed but practically unused. Attackers notice. Trojans and malware use these obscure assignments as camouflage. "Why is port 999 listening?" "Oh, must be applix or puprouter or something."
Unassigned and obscure ports are useful precisely because nobody expects to see them active. When legitimate services don't occupy their assigned space, malicious ones move in.
The well-known ports range was supposed to be the Internet's foundation—ports reserved for protocols everyone needs. Port 999 shows what happens when a foundation has gaps.
Checking What's Listening
If you want to see what's actually using port 999 on your system:
Linux/Mac:
Windows:
If something is listening and you don't recognize it, investigate. Port 999 has no common legitimate use in 2026. Anything running there deserves scrutiny.
The Well-Known Port That Isn't
Port 999 belongs to the well-known range by designation but not by use. It's assigned but not active. Reserved but not essential. Known to security teams but not network engineers.
It's a reminder that numbers don't make protocols matter. Usage does. And port 999—despite its prestigious address in the 0-1023 range—never found a service worth remembering.
Except by the people who cleaned up infected machines. They remember.
이 페이지가 도움이 되었나요?