Port 6379: Redis — The Memory That Never Forgets

Port 6379 is where thought happens at the speed of electricity. When your session stays alive across browser tabs, when a leaderboard updates the instant someone scores, when a notification finds you before you knew to look for it—that's Redis. That's port 6379.

Redis is an in-memory data store. While traditional databases write to disk and hope for the best, Redis holds everything in RAM. No seeking. No spinning platters. Just pure, electric memory responding in microseconds.

The Birth of MERZ

In 2007, Salvatore Sanfilippo—known online as antirez—was running a small Italian startup called LLOOGG.¹ It was a real-time web analytics tool, years before Google Analytics offered anything similar. Bloggers could watch their visitors move through their sites in real time: someone clicks through from Google, lands on the homepage, navigates to an article.

The problem was MySQL. Every pageview meant a database write. Every dashboard refresh meant complex queries. As LLOOGG grew, the database couldn't keep up.

Antirez had an insight: what if he just kept everything in memory?

He wrote a prototype in Tcl. Just over 300 lines of code. He called it LMDB—LLOOGG Memory Database. It supported basic commands: SET, GET, LPUSH, RPUSH. Two data types: strings and lists. The communication protocol was designed to be human-readable and fast to parse.²

When he needed to pick a port number, antirez didn't think twice. On a phone keypad, 6379 spells MERZ—a word he and his friends had coined after watching Alessia Merz, an Italian showgirl, make amusingly vacuous comments on television.³ Over time, "merz" evolved to mean something stupid on the surface but with genuine technical depth underneath. Hack value. Building a 3D map of your hometown by driving around all night with a broken GPS—that's merz.

Redis was merz incarnate: a database that kept everything in RAM seemed absurd until you realized it was exactly what the world needed.

The Protocol: Elegance in Simplicity

Redis speaks RESP—the REdis Serialization Protocol.⁴ It's a masterclass in pragmatic design.

Every piece of data starts with a single character that tells you what's coming:

• + means a simple string
• - means an error
• : means an integer
• $ means a bulk string (binary-safe, with a length prefix)
• * means an array

Everything ends with \r\n. That's it.

When you send SET user:1000 "Alice" to Redis, the wire actually carries:

*3\r\n$3\r\nSET\r\n$9\r\nuser:1000\r\n$5\r\nAlice\r\n

An array of three bulk strings. The length prefixes mean Redis never has to scan for delimiters in your data—it knows exactly how many bytes to read. Binary safe. Unambiguous. Fast.

When Redis responds with OK, the wire carries: +OK\r\n

You could debug Redis traffic with telnet. You could write a Redis client in an afternoon. That was the point. RESP isn't clever. It's clear. It's fast enough to handle millions of operations per second because it never wastes cycles being sophisticated.

More Than Key-Value

Memcached existed before Redis. Created by Brad Fitzpatrick in 2003 for LiveJournal, it was pure caching: string keys, string values, nothing else.⁵

Redis was different from the start. Antirez gave it data structures: lists you could push and pop from either end, sets with union and intersection operations, sorted sets that maintained order by score, hashes that grouped related fields together.⁶

These aren't academic abstractions. They're tools that map directly to real problems:

• Sorted sets become leaderboards. ZADD adds a score, ZRANK tells you where you stand. No complex queries required.
• Lists become queues. LPUSH adds work, RPOP claims it. Producer-consumer patterns in two commands.
• Sets become relationship graphs. Who follows whom, who's online now, who shares friends with you.
• Pub/Sub becomes real-time messaging. PUBLISH sends, SUBSCRIBE receives. Chat rooms and live feeds without polling.⁷

Redis didn't just cache data. It modeled it.

What Flows Through Port 6379

Today, Redis runs at the heart of systems you use every day.

Twitter uses Redis to cache timelines. When you tweet, it's written to Redis clusters where your followers' home timelines are precomputed and waiting. Three clusters for redundancy, all in memory, all instant.⁸

GitHub was one of Redis's first major adopters, drawn in by the Ruby community that embraced antirez's work early. Instagram followed. Pinterest, Snapchat, Airbnb, Shopify, OpenAI—the list reads like a directory of the Internet's infrastructure.⁹

Session storage is perhaps Redis's most invisible role. When you log into a website and stay logged in across tabs, across devices, your session lives somewhere. Often it's Redis. Stateless web servers scale horizontally while Redis maintains the state they all share.

Rate limiting happens here too. Want to allow 100 API calls per minute per user? Redis counts, Redis remembers, Redis says "not so fast" in microseconds.

Real-time analytics, shopping carts, feature flags, distributed locks—port 6379 carries all of it.

The Security Reality

Redis was designed to be accessed by trusted clients inside trusted environments.¹⁰ The official documentation is blunt: don't expose Redis to the Internet.

This advice goes unheeded constantly.

As of 2025, roughly 330,000 Redis instances are exposed to the public Internet. About 60,000 of them have no authentication at all.¹¹ By default, the official Redis container doesn't require a password—a reasonable choice for internal deployment, a disaster when that container gets pushed to a public IP.

The attacks are predictable. Unauthenticated Redis instances can be queried by anyone. Worse, they can execute Lua scripts—a powerful feature that became a weapon.

In October 2025, researchers disclosed CVE-2025-49844, nicknamed "RediShell."¹² A use-after-free vulnerability in the Lua interpreter that had existed in Redis source code for 13 years. CVSS score: 10.0. An authenticated attacker could send a crafted Lua script that corrupted memory, escaped the sandbox, and gained full access to the host machine.

The vulnerability affected every version of Redis with Lua scripting enabled—which is every version that matters.

Redis's response includes the obvious recommendations: firewalls, authentication, protected mode, minimal permissions. But the deeper lesson is architectural. Redis is a scalpel. It's devastatingly effective when wielded correctly and catastrophic when left lying around.

The License Wars

In March 2024, Redis Ltd. changed the license from the permissive BSD license that had governed Redis since its creation to a dual-license model: RSALv2 and SSPL.¹³

The stated reason was sustainability. Cloud providers—AWS, Google Cloud—offered managed Redis services that generated billions in revenue while contributing little back to the project.

The community response was immediate and brutal. The Linux Foundation announced Valkey, a fork that would maintain the original BSD license, within days.¹⁴ AWS, Google Cloud, Oracle, Alibaba, Tencent, and Huawei all backed it. The open-source world operates on trust, and Redis had broken it.

The numbers told the story: before the license change, 12 non-employees made 54% of Redis commits. Afterward, zero non-employees made more than 5 commits.¹⁵

In November 2024, antirez returned to Redis as developer evangelist. In 2025, Redis added AGPLv3 as a third licensing option, an OSI-approved open-source license.¹⁶ But by then, 83% of large enterprises using Redis had already adopted or were testing Valkey.¹⁷

The Internet may now have two Redis-compatible projects forever. Both listen on port 6379.

Related Ports