Port 28: Unassigned — The Empty Room in the Well-Known Range

Port 28 is unassigned. It has no official protocol, no RFC, no service name. In the entire history of the IANA port registry, from the first Assigned Numbers document in 1977 to today, nobody has ever claimed it.

That makes it worth understanding.

What "Unassigned" Means

Port 28 belongs to the System Ports range, also called the well-known ports: numbers 0 through 1023. These are the most restricted addresses in networking. On Unix-like systems, binding to a port in this range requires superuser privileges. Getting one assigned requires IETF Review or IESG Approval, the most rigorous processes IANA offers.¹

There are only 1,024 of these ports. They were meant for the foundational protocols of the Internet. Port 22 got SSH. Port 25 got SMTP. Port 53 got DNS. Port 80 got HTTP.

Port 28 got nothing.

Why Some Ports Stay Empty

Port assignments are demand-driven. IANA does not pre-allocate ports or hand them out speculatively. Someone has to show up with a protocol, a specification, and a reason. If nobody does, the port stays empty.²

As of RFC 6335 in 2011, roughly 24% of the well-known port range remained unassigned.² Port 28 is one of those gaps. It was never assigned in any of the historical Assigned Numbers RFCs (RFC 739, 750, 755, 758, 762, 770, 776, 790, 820, 870, 900, 923, 943, 960, 990, 1010, 1060, 1340, or 1700). Every single one of those documents skipped it.

This is not an oversight. The Internet built what it needed, and nobody needed port 28.

Unofficial Uses

Despite having no official assignment, port 28 has appeared in the wild:

Palo Alto Networks Panorama uses port 28 for HA1 control link communication (SSH over TCP) in high-availability firewall configurations.³

AltaVista Firewall97, a legacy firewall product, accepted connections on ports 26 through 29. Security researchers noted this could be used to fingerprint the device.³

The Amanda Trojan, a backdoor remote access trojan, has been documented using port 28 for command-and-control communication. The malware gives an attacker full remote control over an infected machine, including keystroke logging and credential theft.⁴

None of these uses are sanctioned by IANA. They exist because an unassigned port is an unclaimed address, and anyone with root access can listen on it.

Security Implications

If port 28 is open on your system and you did not intentionally configure something to listen there, investigate immediately. An open well-known port with no assigned service is a signal, not noise.

Check what is listening on port 28:

# Linux
sudo ss -tlnp | grep ':28 '
sudo lsof -i :28

# macOS
sudo lsof -i :28
netstat -an | grep '\.28 '

# Windows
netstat -ano | findstr ":28 "

If something is there and you do not recognize it, treat it as suspicious. Run a full malware scan. Check your firewall rules. An unassigned port that suddenly has a listener is one of the clearest warning signs in network security.

The Significance of Empty Ports

Unassigned ports are not wasted space. They are capacity. The Internet's port system was designed with room to grow, and every unassigned port in the well-known range represents a future protocol that has not been invented yet.

Port 28 has waited since 1977. It may wait forever. Or someday, someone will design a protocol important enough to claim it, submit the specification, survive IETF review, and give this number a name.

Until then, port 28 remains what it has always been: an empty room in a building full of the Internet's most important machinery, door closed, lights off, waiting.