UDP – User Datagram Protocol

UDP is a relatively simple protocol compared with something like TCP for one simple reason – it has none of the fields that ensure reliable delivery of information.  With UDP there is no guarantee that data transmitted will be delivered, the idea is that applications and other transport mechanisms will handle this function.

However there is some information stored in the headers which is useful especially if you’re an application developer or security professional involved in port scanning.  Similar to TCP ports, UDP port fields consist of two distinct 16-bit fields in the TCP header one for source and another for destination.   The valid range for these fields is between 1 and 65535, if 0 is used it signifies unusual activity or possibly some sort of crafted packet.

When a source host needs to connect to a destination then an ephemeral port number is first selected usually in the range of greater than 1023.  Each new sending connection will require another ephemeral port to be selected.

UDP Port Scanning

Unlike TCP which will respond with either a positive response (SYN/ACK) or a negative response (RESET/ACK) to listening or non-listening ports, UDP gives no such response.  However it will give some feedback in particular a live host will respond with a ICMP ‘port unreachable’ message for a non-listening response.  This is the only real way port scanners have of determining the status of UDP ports, it is also quite a stealthy method as the response is a standard one.

The assumption is that if a packet is sent and no ‘port unreachable’ error is received then the port is open and listening.   However this can give problems with false positive as technically the same ICMP response could be received in lots of other situations varying from lost packets to firewalls prevent access in the first place.  This can be confusing suggesting open listening UDP ports when in reality none exist.

This can also be difficult to follow in other situations such as perhaps using different routing tables or perhaps a VPN being used to access remote locations like the BBC iPlayer abroad such as this.

For troubleshooting and testing this can be very confusing and the more intelligent port scanners such as Nmap will consider the fact that there is simply some filtering going on.

Further Reading:

Nmap Port Scanning techniques – https://nmap.org/book/man-port-scanning-techniques.html

Diagnose Network Issues – Can I Get BBC iPlayer in Spain

Leave a Reply