Re: High UDP ports showing open on my systems
Gabriel M. Beddingfield wrote:
> I've been running nmap scans on a couple of my debian systems, and I'm
> finding that one unpriviliged UDP port is always showing open, but the port
> changes with every scan. Anybody know what's going on? Here's a few tests
> (edited for brevity):
>
> debian:~# nmap -sU -p 40000-65535 192.168.1.100
> PORT STATE SERVICE
> 52979/udp open unknown
> debian:~# nmap -sU -p 40000-65535 192.168.1.100
> All 25536 scanned ports on 192.168.1.100 are: closed
> debian:~# nmap -sU -p 40000-65535 192.168.1.100
> PORT STATE SERVICE
> 41252/udp open unknown
UDP works different than TCP. It is a stateless protocol that does
not need to confirm in any way that a package has been received. An
UDP port can be considered open as long as a package sent to it does
not result in an icmp-port-unreachable answer.
So nmap can assume that the tested port is open and that some program
at the other side received the test package, unless it gets an icmp-
port-unreachable answer.
And sometimes packages just get lost on their way, so it is quite
possible that one of the 25k answer packages will not find its way
to the scanning host. That is no cause for alarm.
> lsof doesn't show any such port open. The -sV switch doesn't give any extra
> info for these high ports.
"netstat -lup" will show you all processes that listen on an UDP
socket.
Regards,
Dennis
--
Send personal mail to dennis@... only. Off-list
mails to lists@stosberg.net will not reach me.
Reply to: