How does UDP port scanning and service

detection work?
Issue:
How does UDP port scanning and service detection work?

Solution:
While TCP is a connection-oriented protocol and establishes a
connection to the remote host via a 3-way handshake UDP is a
connection-less protocol!

UDP connection is a meaningless term since a client can send packets
to a UDP service witho"t #rst establishing a connection! D"e to its
nat"re UDP is more di$c"lt to probe than TCP!

When a generic UDP packet is sent to a UDP port o% a remote host one
o% the %ollowing occ"rs&
'% the UDP port is open the packet is accepted no response
packet is sent!
'% the UDP port is closed an 'C(P packet is sent in response with
the appropriate error code s"ch as Destination Unreachable!

)canning UDP ports is more in%erence-based since it does not rely on
acknowledgements %rom the remote host like TCP does b"t instead
collects all 'C(P errors the remote host sends %or each closed port!
There%ore closed ports are detected by the presence o% 'C(P response
packets open ports are detected by the lack o% response packets!

UDP port scanning has certain limitations&

(any operating systems TCP*'P stacks "se internal b"+ers %or ,"e"ing
incoming packets! The b"+ers %or UDP packets are very limited in
space which co"ld ca"se UDP packets that are sent too %ast not to be
processed by the remote host! -s a res"lt o% this UDP port scanning is
m"ch slower than TCP port scanning and by de%a"lt probes only a small
n"mber o% ports ./ 0123!

-nother iss"e with negative scanning is that #rewall r"les can greatly
a+ect the acc"racy o% res"lts! 'C(P packets are o%ten #ltered
preventing the 'C(P packet sent in response to a closed port %rom
reaching the scanner!

UDP service detection works by sending a packet compliant with the
service normally r"nning on the probed UDP port .in contrast to TCP
services UDP services are hardly ever recon#g"red to r"n on a non-
standard port3! 4or e5ample a D6) ,"ery packet is sent on port 73 a
)6(P packet on port 080 etc! 9eceiving the anticipated reponse
con#rms the service on that port!

To s"mmari:e&
4or UDP scanning the service sends a generic UDP packet and awaits a
response! '% there is no response the port is ass"med to be open and a
UDP packet speci#c to the service on that port is sent to detect the
service! '% an 'C(P error packet is ret"rned the port is considered
closed!

The scanner compiles the in%ormation into a list o% open UDP ports and
r"nning UDP services which is then doc"mented in the scan report
"nder ;'D 1<22= - >pen UDP )ervices ?ist!