Advertisement Jump to content
Sign in to follow this  

UDP ports and port scanners

This topic is 4986 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Only if there is an application listening to that specific port that is programmed to send a response based on the packet recieved to a port the scanner machine has open and is listening to. In short, general purpose UDP port scanning won't work. You have to be looking for a specific service.

Share this post

Link to post
Share on other sites
From nmap man page:


UDP scans:
This method is used to determine which UDP (User
Datagram Protocol, RFC 768) ports are open on a host. The tech-
nique is to send 0 byte udp packets to each port on the target
machine. If we receive an ICMP port unreachable message, then
the port is closed. Otherwise we assume it is open.

Some people think UDP scanning is pointless. I usually remind
them of the recent Solaris rcpbind hole. Rpcbind can be found
hiding on an undocumented UDP port somewhere above 32770. So it
doesn't matter that 111 is blocked by the firewall. But can you
find which of the more than 30,000 high ports it is listening
on? With a UDP scanner you can! There is also the cDc Back Ori-
fice backdoor program which hides on a configurable UDP port on
Windows machines. Not to mention the many commonly vulnerable
services that utilize UDP such as snmp, tftp, NFS, etc.

Unfortunately UDP scanning is sometimes painfully slow since
most hosts implement a suggestion in RFC 1812 (section
of limiting the ICMP error message rate. For example, the Linux
kernel (in net/ipv4/icmp.h) limits destination unreachable mes-
sage generation to 80 per 4 seconds, with a 1/4 second penalty
if that is exceeded. Solaris has much more strict limits (about
2 messages per second) and thus takes even longer to scan. nmap
detects this rate limiting and slows down accordingly, rather
than flood the network with useless packets that will be ignored
by the target machine.

As is typical, Microsoft ignored the suggestion of the RFC and
does not seem to do any rate limiting at all on Win95 and NT
machines. Thus we can scan all 65K ports of a Windows machine
very quickly. Woop!

So yes, but it might not be accurate.


Share this post

Link to post
Share on other sites
Sign in to follow this  

  • Advertisement

Important Information

By using, you agree to our community Guidelines, Terms of Use, and Privacy Policy. is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!