Port 27: NSW-FE — A Fossil from the ARPANET's Software Factory

Port 27 is assigned to nsw-fe, the User System Front End of the National Software Works. If you've never heard of it, that's because it hasn't been relevant to a running network in decades. But it was assigned for a reason, and the reason is worth knowing.

What the National Software Works Was

The National Software Works (NSW) was a project funded by ARPA and the U.S. Air Force in the mid-1970s¹. Its goal was ambitious for the era: build a distributed operating system across the ARPANET that would let software engineers at different institutions share tools, files, and computing resources to build programs together.

Think of it as a 1970s attempt at what GitHub, Docker, and cloud development environments do today, except running on a network where a fast connection meant 50 kilobits per second.

The NSW was developed primarily by Massachusetts Computer Associates (COMPASS) in Wakefield, Massachusetts, with involvement from BBN Technologies². The project's architect, Robert Thomas at BBN, was the same engineer who created the Creeper program in 1971, the first software to propagate itself across a network³.

How It Worked

The NSW architecture had several distributed components⁴:

• The Front End (FE), on port 27, was the user-facing component. It was the door through which a developer entered the NSW system.
• MSG was the interprocess communication mechanism, allowing NSW components on different ARPANET hosts to talk to each other. It ran on ports 29 and 31, both also registered to Robert Thomas.
• The Foreman ran on every host that provided tools, managing execution of software on that machine.

When a user connected through the Front End on port 27, they could access compilers, editors, and other development tools running on entirely different machines across the network. The NSW handled the complexity of locating, invoking, and coordinating those tools.

Why It Matters

The NSW was one of the first real attempts to build what we now call a "network operating system." The core insight, that the hardware, software, and human resources needed for a task might be geographically and administratively dispersed¹, was decades ahead of its time.

The project faded as the ARPANET evolved into the Internet and other approaches to distributed computing took hold. But it left behind three port numbers (27, 29, 31) as fossils in the IANA registry, markers of a future someone tried to build before the infrastructure could support it.

Port 27 Today

Port 27 sees no legitimate traffic from its assigned protocol. No modern software implements NSW-FE. However, the port has been observed in security contexts:

• The Assasin trojan, a remote access tool and keylogger from the late 1990s, was documented using UDP port 27⁵.
• Any unexpected traffic on port 27 warrants investigation, precisely because nothing should be listening there.

Checking What's on Port 27

# Linux/macOS — check if anything is listening on port 27
sudo lsof -i :27
sudo netstat -tlnp | grep ':27 '

# Windows — check port 27
netstat -an | findstr ":27 "

If something is listening on port 27, you should find out what it is. There is no modern service that should be there.

The Well-Known Port Range

Port 27 sits in the well-known port range (0 through 1023). These ports are assigned by IANA and, on Unix-like systems, require root or superuser privileges to bind to⁶. The well-known range was established to give critical network services stable, predictable addresses. Not every port in this range found a lasting purpose. Port 27 is one of many that were assigned to protocols that existed for a time and then quietly disappeared.

The port number itself is a kind of headstone. It marks the place where something lived.