Port 65535 is the highest port number that can exist. When you reach this port, you have reached the end of the Internet's addressing system. There is no port 65536.
This is not arbitrary. It is mathematics.
Why 65535 Is the Limit
In September 1981, Jon Postel published RFC 793, the document that defined TCP.1 In that specification, the source port and destination port fields were each allocated 16 bits.
A 16-bit unsigned integer can represent values from 0 to 65,535. That is 2^16 possible values. Port 0 is reserved, so the usable range runs from 1 to 65,535.
When TCP was designed, 65,536 ports per IP address seemed like more than enough. The engineers of that era were building for a world of mainframes and terminals, not smartphones and IoT devices. They made a reasonable choice for their time, and we have lived with it ever since.
The port field size has never been changed. It remains 16 bits in RFC 9293, the modern TCP specification.2 Changing it would break every device on the Internet.
The Dynamic Port Range
Port 65535 belongs to the dynamic or ephemeral port range: 49152 to 65535.3 These ports are not assigned to any specific service. Your operating system hands them out temporarily when applications need to make outgoing connections.
When your web browser connects to a server, it needs a port on your side of the conversation. The server uses port 443 for HTTPS, but your browser gets assigned something like port 52847, or 61203, or 65535. The specific number does not matter. It just needs to be available.
This is why you cannot look up "what service runs on port 65535" and get a meaningful answer. By design, nothing specific runs here. It is a temporary address, used and released, used and released, thousands of times a day on every computer connected to the Internet.
A Hiding Place for Malware
Port 65535 has attracted attention from malware authors. Several trojans and backdoors have used this port:4
- RC1 Trojan: Uses port 65535 for covert command-and-control communication
- Adore Worm: Exploits vulnerabilities in applications listening on ephemeral ports
- Sins Trojan: Establishes backdoor connections through this port
- ShitHeep Trojan: Another backdoor that chose the highest port
Why do attackers pick this port? Partly because it is memorable. Humans remember extremes: the highest number, the lowest number, repeating digits. Port 65535 is easy to recall, and easy to type.
But there is also practical logic. Dynamic ports receive less scrutiny than well-known ports. A connection on port 22 is obviously SSH. A connection on port 443 is obviously HTTPS. But a connection on port 65535? It could be anything. That ambiguity provides cover.
Security Implications
If you see unexpected traffic on port 65535, investigate it. Use netstat or ss to identify what process is listening:
Legitimate applications can use this port. Games like Lord of the Rings: Battle for Middle Earth 2 and Final Fantasy XI have been documented using port 65535.4 But if you see it open and you do not know why, that warrants investigation.
A known vulnerability exists in LANDesk Management Suite 8.7, where a stack-based buffer overflow in the Alert Service on port 65535 allows remote code execution.5
The Edge of the Map
Port 65535 is where the Internet's addressing system confesses its limits. Beyond this number, there is nothing. The 16 bits are exhausted. The counter cannot increment further.
In the 1981 world of RFC 793, this seemed impossibly far away. Today, with billions of devices and countless simultaneous connections, we live much closer to these edges than the original designers imagined.
Every protocol carries the assumptions of its era. The 16-bit port field is a fossil from a time when the Internet was a research project connecting a few hundred machines. That fossil is now load-bearing infrastructure for human civilization.
Port 65535 is the last door in a hallway of 65,536 doors. Some doors have names etched in brass: HTTP, SSH, DNS. This door has no name. It is simply the end.
Frequently Asked Questions
Was this page helpful?