1. Ports
  2. Port 1003

Port 1003 — The Unassigned Gap

What This Port Is

Port 1003 falls within the well-known ports range (0-1023)—the range reserved by IANA for system services and officially assigned protocols. But unlike most of its neighbors, port 1003 has no official assignment. It exists in an unassigned gap within the system ports, a crack where neither official governance nor public awareness has claimed ownership.

The Well-Known Ports Range

The well-known ports (0-1023) are supposed to be carefully managed. IANA assigns each port to a specific service or protocol. This is the Internet's attempt at order: "Port 22 is SSH. Port 25 is SMTP. Port 443 is HTTPS." Port 1003 breaks that pattern. It's assigned to nothing official—which means it's available to anyone.

What Actually Uses Port 1003

Fortinet FortiGate firewalls use TCP port 1003 for "policy override keepalive" traffic. This is internal communication within enterprise security appliances—the firewall talking to itself, maintaining the state of user authentication and security policies. It's legitimate infrastructure, quietly running on thousands of corporate networks without fanfare.

But port 1003 also has a darker history. BackDoor 2.0x, a trojan from the late 1990s and early 2000s, exploited this port's obscurity to hide command-and-control traffic. The port was unassigned, unmonitored, under the radar.

This is the pattern with unassigned ports in the well-known range: when something official doesn't claim a port, legitimate enterprise software and malware fill the void together.

How to Check What's on Port 1003

To see if anything is listening on port 1003:

On macOS or Linux:

lsof -i :1003
netstat -an | grep 1003
ss -an | grep 1003

On Windows:

netstat -ano | findstr :1003
Get-NetTCPConnection -LocalPort 1003

From another machine (network scanning):

nmap -p 1003 <target-ip>

If port 1003 is open and you don't know why, check:

  • If you have Fortinet FortiGate or other Fortinet products installed
  • Your running services and applications
  • Security scanning tools to see what has bound to this port

Why Unassigned Ports Matter

The existence of port 1003—and dozens like it—reveals something about how the Internet actually works versus how it's supposed to work.

The official port registry is supposed to be the source of truth. But it's managed asynchronously, slowly, by humans. Applications don't always wait for official assignment. Fortinet needed a port for internal keepalive traffic and used 1003. The BackDoor trojan needed a port and found one nobody was watching.

Unassigned ports in the well-known range are:

  • Technically reserved for future assignment by IANA
  • Practically available for anyone to use, officially or not
  • Often overlooked by security monitoring because they're not "supposed" to have anything on them
  • Potentially dangerous precisely because nobody's paying attention

This is the gap between the Internet's formal design and its actual operation. Port 1003 sits in that gap, serving both legitimate enterprise infrastructure and—historically—malware, because the gap exists.

Related Ports

  • 1000-1007 — Unassigned well-known ports (the same gap port 1003 occupies)
  • 1-1023 — All well-known ports (the range that should be centrally managed but isn't, entirely)
  • 22 — SSH (actually assigned and widely used)
  • 443 — HTTPS (assigned and secured)

Frequently Asked Questions

Previous

Port 1002: ms-ils — A Port Reserved for the Past

Next

Port 1004 — The Unassigned Door

Was this page helpful?

😔
🤨
😃