How does UDP port scanning and service detection work?

Document created by kb-author-1 Employee on May 19, 2010Last modified by Joe Gregory on Dec 4, 2012
Version 3Show Document
  • View in full screen mode


How does UDP port scanning and service detection work?



While TCP is a connection-oriented protocol and establishes a connection to the remote host via a 3-way handshake, UDP is a connection-less protocol.


UDP connection is a meaningless term since a client can send packets to a UDP service without first establishing a connection. Due to its nature, UDP is more difficult to probe than TCP.


When a generic UDP packet is sent to a UDP port of a remote host, one of the following occurs:

  • If the UDP port is open, the packet is accepted, no response packet is sent.
  • If the UDP port is closed, an ICMP packet is sent in response with the appropriate error code such as Destination Unreachable.


Scanning UDP ports is more inference-based, since it does not rely on acknowledgements from the remote host like TCP does, but instead collects all ICMP errors the remote host sends for each closed port.  Therefore, closed ports are detected by the presence of ICMP response packets, open ports are detected by the lack of response packets.


UDP port scanning has certain limitations:


Many operating systems TCP/IP stacks use internal buffers for queuing incoming packets. The buffers for UDP packets are very limited in space which could cause UDP packets that are sent too fast not to be processed by the remote host. As a result of this, UDP port scanning is much slower than TCP port scanning and by default probes only a small number of ports (~ 180).


Another issue with negative scanning is that firewall rules can greatly affect the accuracy of results. ICMP packets are often filtered, preventing the ICMP packet sent in response to a closed port from reaching the scanner.


UDP service detection works by sending a packet compliant with the service normally running on the probed UDP port (in contrast to TCP services, UDP services are hardly ever reconfigured to run on a non-standard port). For example, a DNS query packet is sent on port 53, a SNMP packet on port 161, etc.  Receiving the anticipated reponse confirms the service on that port.


To summarize:

For UDP scanning, the service sends a generic UDP packet and awaits a response. If there is no response, the port is assumed to be open and a UDP packet specific to the service on that port is sent to detect the service. If an ICMP error packet is returned, the port is considered closed.


The scanner compiles the information into a list of open UDP ports and running UDP services which is then documented in the scan report under QID 82004 - Open UDP Services List.

1 person found this helpful