What are sockets with bound state on 0.0.0.0

Question

I know a listening socket on 0.0.0.0 is listening on all IPv4 interfaces. But we also see a lot of 'bound' stockets on 0.0.0.0, if we check with Get-NetTCPConnection in powershell. All on high port numbers (63000+) with a both local and remoteaddress of 0.0.0.0, and a remote port of 0.

What kind of sockets can this be? We see this on a windows web server (2016), which serves a number of websites (IIS). This server also hosts the ASP.NET state server, which is also accessed from another server in the same network.

When there are about 50-100 users active on these sites, there are about 1000 of these sockets open. When there's more activity, the number of these sockets also grow.

These should be [ephemeral ports](https://en.wikipedia.org/wiki/Ephemeral_port) — Lenniey, Apr 15 '19 at 14:51

score 0 · Accepted Answer · answered Apr 16 '19 at 07:14

These are ephemeral ports. They always "bind" to 0.0.0.0:<range> and remote 0.0.0.0:0. You can also check the setting using netsh int ipv4 show dynamicport tcp, e. g. on my Windows 10 workstation:

Protocol tcp Dynamic Port Range
-------------------------------
Start Port      : 49152
Number of Ports : 16384

You can change this setting by using netsh int ipv4 set dynamicport tcp start=X num=Y, but usually you shouldn't need to.

This Microsoft documentation lists the defaults per service.

What are sockets with bound state on 0.0.0.0

1 Answers1