When Bitcoin Core automatically opens outgoing P2P connections, it chooses
a peer (address and port) from its list of potential peers. This list is
populated with unchecked data gossiped over the P2P network by other peers.

A malicious actor may gossip an address:port where no Bitcoin node is listening,
or one where a service is listening that is not related to the Bitcoin network.
As a result, this service may occasionally get connection attempts from Bitcoin
nodes.

"Bad" ports are ones used by services which are usually not open to the public
and usually require authentication. A connection attempt (by Bitcoin Core,
trying to connect because it thinks there is a Bitcoin node on that
address:port) to such service may be considered a malicious action by an
ultra-paranoid administrator. An example for such a port is 22 (ssh). On the
other hand, connection attempts to public services that usually do not require
authentication are unlikely to be considered a malicious action,
e.g. port 80 (http).

Below is a list of "bad" ports which Bitcoin Core avoids when choosing a peer to
connect to. If a node is listening on such a port, it will likely receive fewer
incoming connections.

    1:     tcpmux
    7:     echo
    9:     discard
    11:    systat
    13:    daytime
    15:    netstat
    17:    qotd
    19:    chargen
    20:    ftp data
    21:    ftp access
    22:    ssh
    23:    telnet
    25:    smtp
    37:    time
    42:    name
    43:    nicname
    53:    domain
    69:    tftp
    77:    priv-rjs
    79:    finger
    87:    ttylink
    95:    supdup
    101:   hostname
    102:   iso-tsap
    103:   gppitnp
    104:   acr-nema
    109:   pop2
    110:   pop3
    111:   sunrpc
    113:   auth
    115:   sftp
    117:   uucp-path
    119:   nntp
    123:   NTP
    135:   loc-srv /epmap
    137:   netbios
    139:   netbios
    143:   imap2
    161:   snmp
    179:   BGP
    389:   ldap
    427:   SLP (Also used by Apple Filing Protocol)
    465:   smtp+ssl
    512:   print / exec
    513:   login
    514:   shell
    515:   printer
    526:   tempo
    530:   courier
    531:   chat
    532:   netnews
    540:   uucp
    548:   AFP (Apple Filing Protocol)
    554:   rtsp
    556:   remotefs
    563:   nntp+ssl
    587:   smtp (rfc6409)
    601:   syslog-conn (rfc3195)
    636:   ldap+ssl
    989:   ftps-data
    990:   ftps
    993:   ldap+ssl
    995:   pop3+ssl
    1719:  h323gatestat
    1720:  h323hostcall
    1723:  pptp
    2049:  nfs
    3659:  apple-sasl / PasswordServer
    4045:  lockd
    5060:  sip
    5061:  sips
    6000:  X11
    6566:  sane-port
    6665:  Alternate IRC
    6666:  Alternate IRC
    6667:  Standard IRC
    6668:  Alternate IRC
    6669:  Alternate IRC
    6697:  IRC + TLS
    10080: Amanda

For further information see:

[pull/23306](https://github.com/bitcoin/bitcoin/pull/23306#issuecomment-947516736)

[pull/23542](https://github.com/bitcoin/bitcoin/pull/23542)

[fetch.spec.whatwg.org](https://fetch.spec.whatwg.org/#port-blocking)

[chromium.googlesource.com](https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/net/base/port_util.cc)

[hg.mozilla.org](https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsIOService.cpp)