Re: Port Scan for UDP

To: debian security list <debian-security@lists.debian.org>
Subject: Re: Port Scan for UDP
From: Jeff Coppock <jcoppock1@home.com>
Date: Sun, 21 Oct 2001 10:46:08 -0700
Message-id: <20011021104608.A9887@nortelnetworks.com>
Mail-followup-to: debian security list <debian-security@lists.debian.org>
In-reply-to: <E15vKn2-0007jl-00@bcm-hog.org>; from craig@bcm-hog.org on Sun, Oct 21, 2001 at 10:45:28AM -0500
References: <E15vKn2-0007jl-00@bcm-hog.org>

Wow!  Craig...you are the MAN!  This explains a number of other
questions I had too.  Thank you very much!

jc

Craig McPherson, 2001-Oct-21 10:45 -0500:
> I can't believe nobody has answered this correctly yet.  UDP is 
> different than TCP in that it is a stateless protocol, and that means 
> you have to understand a few things to interpret UDP port scan results 
> correctly.  With TCP scans, you get one of three results:  OPEN 
> (meaning that the TCP handshake sequence to open a connection 
> completed), CLOSED (meaning that the target sent a "port closed" ICMP 
> message), or FILTERED (meaning that no response was received at all: 
> this is also called "stealthed" by so-called "security experts" like 
> Steve Gibson but it's a good idea to ignore him just on general 
> principles).
> 
> UDP is a completely stateless protocol, though.  Even if you send a UDP 
> packet to a port that a valid daemon is listening on, the system isn't 
> obligated to send anything back to you at all: there is no handshake 
> sequence to establish a connection.  So making a determination is 
> harder than with TCP.  If you receive a "port closed" ICMP message, the 
> port can be safely listed as CLOSED, but if you receive nothing at all, 
> that could mean that the port is either OPEN or FILTERED -- it's pretty 
> much impossible to tell the difference.
> 
> NMAP assumes that every UDP port that it doesn't receive a responsee 
> from is OPEN, which means that if you have your firewall DROP all UDP 
> connections, every UDP port will appear as open.  If you want to fix 
> this, have your firewall REJECT instead of DROP, and the ports will 
> appear correctly as CLOSED to a port scan.  DROPing connections without 
> a response is in violation of the RFCs, too, if you care about that 
> sort of thing.  Having the local machine portscan itself will also tell 
> you which UDP ports are *actually* open, because I assume you don't 
> have your firewall set to DROP packets from itself.
> 
> Also, did you know that by default, nmap only scans ports listed in its 
> services file?  So although it scans commonly-used ports, it's not 
> scanning the entire system.  If you have enough time (this will make 
> the scan very slow, especially over a slow network link), use the "-p 1-
> " argument to every scan to force nmap to scan every port from 1 to 
> 65535 instead of just the maybe 400 or 500 ports that it has listed in 
> its services file.  That's the only way you can get a complete picture 
> of what your box looks like from the outside.


-- 

Jeff Coppock		Nortel Networks
Systems Engineer	http://nortelnetworks.com

Reply to:

References:
- Re: Port Scan for UDP
  - From: "Craig McPherson" <craig@bcm-hog.org>

Prev by Date: Re: URGENT RESPONSE!
Next by Date: Re: ssh vulernability
Previous by thread: Re: Port Scan for UDP
Next by thread: Re: Port Scan for UDP
Index(es):
- Date
- Thread