Port 20: FTP Data — The Silent Channel

Port 20 is where the files actually move.

When you transfer a file using FTP, two connections happen. Port 21 carries the commands: login, list directory, request file. Port 20 carries the payload: the actual bytes of the actual file. It is the data channel, the workhorse, the silent partner in a protocol that predates the modern Internet.

How FTP's Dual-Channel Architecture Works

FTP is unusual among Internet protocols. Most protocols use a single connection for everything. HTTP sends requests and responses on the same socket. SMTP delivers mail through one pipe. But FTP splits the conversation in two.¹

Port 21 is the control channel. This is where you authenticate, send commands like LIST or RETR or STOR, and receive status codes. The control channel stays open for the entire session.

Port 20 is the data channel. Every time you transfer a file or request a directory listing, FTP opens a separate connection just for that data. When the transfer completes, the data connection closes.

This separation made sense in 1971. It allowed the protocol to handle large, slow transfers without blocking the command interface. You could start a file transfer, then send a command to cancel it if needed. The control channel remained responsive.

Active Mode: When the Server Calls You Back

In active mode FTP, something strange happens. The client tells the server: "I'm listening on port 5001. Connect to me there."²

The server then initiates an outbound connection from its port 20 to whatever port the client specified. The client becomes a server, temporarily. The roles reverse for the data channel.

This is called the PORT command, and it worked beautifully on the early ARPANET where every machine had a routable IP address and no firewall stood in the way.

Then NAT happened. Then firewalls happened. Suddenly, the server's callback from port 20 would hit the client's firewall and die. The client, sitting behind a home router with a private IP address, had told the server to connect to 192.168.1.50, an address that doesn't exist on the public Internet.³

Active mode FTP became a relic overnight. Port 20 went quiet.

Passive Mode: Port 20 Steps Aside

Passive mode (PASV) was invented to solve the firewall problem.⁴ Instead of the server connecting to the client, the server opens a random high port and tells the client: "Connect to me on port 43721."

Both connections now flow from client to server. Firewalls are happy. NAT devices can track the connections. File transfers work again.

But port 20 is not used in passive mode. The data flows through ephemeral ports in the registered range (1024-49151) or dynamic range (49152-65535). Port 20 becomes a historical artifact, assigned but increasingly unused.

The Origin: Abhay Bhushan at MIT, 1971

FTP was born on April 16, 1971, when Abhay Bhushan, a graduate student at MIT, published RFC 114.⁵ This was before TCP/IP existed. Before HTTP, before email as we know it, before the web.

Bhushan was working on Project MAC at MIT, helping build the ARPANET. The problem was simple: researchers needed to share files between computers that spoke different operating systems and used different file formats. There was no standard way to say "give me that file."⁶

RFC 114 defined the first File Transfer Protocol. It ran over NCP (Network Control Protocol), the predecessor to TCP. The dual-port architecture was there from the beginning: one channel for control, one for data.

The current FTP specification, RFC 959, was published in October 1985 by Jon Postel and Joyce Reynolds at the Information Sciences Institute.⁷ This version runs over TCP/IP and is essentially the FTP we still use today. Forty years later, the same protocol, the same port assignments.

Security: Everything in Plaintext

FTP sends your username and password in cleartext. Every character, readable by anyone on the network.⁸

USER admin
331 Password required
PASS hunter2
230 Logged in

This is not a flaw that was discovered later. RFC 2577, published in 1999, explicitly documents this vulnerability: "All data and control information (including passwords) is sent across the network in unencrypted form by standard FTP."⁹

The RFC doesn't mince words. It recommends "alternate authentication mechanisms that are not subject to eavesdropping."

The Bounce Attack

FTP's PORT command enables what's called a bounce attack.¹⁰ An attacker connects to an FTP server and issues a PORT command pointing to a third machine. The FTP server, acting as a proxy, connects to that machine on the attacker's behalf.

This allows attackers to:

• Scan ports on machines behind firewalls
• Send forged email through third-party SMTP servers
• Probe internal networks using an innocent FTP server as a relay

The vulnerability is RFC-compliant. The protocol specification itself enables the attack. Most modern FTP servers disable this "feature" by refusing PORT commands that point to addresses other than the client's.

Related Ports

The Modern State: Deprecated but Not Dead

In 2021, Chrome and Firefox dropped FTP support.¹¹ The browsers decided that a protocol sending passwords in cleartext didn't belong in a modern Internet.

SFTP (SSH File Transfer Protocol) and FTPS (FTP Secure) have largely replaced FTP for any serious use. SFTP runs over SSH on port 22 and encrypts everything. FTPS wraps FTP in TLS on port 990 (implicit) or negotiates encryption on port 21 (explicit).

But FTP refuses to die completely. Legacy systems, embedded devices, and internal networks still use it. Some organizations run FTP on isolated networks where encryption is less critical. The protocol is simple, well-understood, and works on nearly everything.

Port 20 persists in firewall configurations, protocol documentation, and the collective memory of anyone who administered a server in the 1990s. It is assigned, but mostly silent.