I would recommend reading the man page for nmap;
"Upon hitting a closed port on the target machine, the UDP probe should elicit an ICMP port
unreachable packet in return. This signifies to Nmap that the machine is up and available. Many
other types of ICMP errors, such as host/network unreachables or TTL exceeded are indicative of a
down or unreachable host. A lack of response is also interpreted this way. If an open port is
reached, most services simply ignore the empty packet and fail to return any response. This is why
the default probe port is 31338, which is highly unlikely to be in use. A few services, such as
chargen, will respond to an empty UDP packet, and thus disclose to Nmap that the machine is
" -sU (UDP scans)
While most popular services on the Internet run over the TCP protocol, UDP3 services are widely
deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most
common. Because UDP scanning is generally slower and more difficult than TCP, some security
auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and
attackers certainly don┬┤t ignore the whole protocol. Fortunately, Nmap can help inventory UDP
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN
scan (-sS) to check both protocols during the same run.
UDP scan works by sending an empty (no data) UDP header to every targeted port. If an ICMP port
unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors
(type 3, codes 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond
with a UDP packet, proving that it is open. If no response is received after retransmissions, the
port is classified as open|filtered. This means that the port could be open, or perhaps packet
filters are blocking the communication. Versions scan (-sV) can be used to help differentiate the
truly open ports from the filtered ones.
A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any
response, leaving Nmap to time out and then conduct retransmissions just in case the probe or
response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP
port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN
or connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and
Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits
destination unreachable messages to one per second (in net/ipv4/icmp.c).
Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless
packets that the target machine will drop. Unfortunately, a Linux-style limit of one packet per
second makes a 65,536-port scan take more than 18 hours. Ideas for speeding your UDP scans up
include scanning more hosts in parallel, doing a quick scan of just the popular ports first,
scanning from behind the firewall, and using --host-timeout to skip slow hosts.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.
| & || & |
| < || < |
| > || > |
| [ || [ |
| ] || ] ||