UDP Service and Vulnerability Enumeration

The User Datagram Protocol (UDP) transfers data much differently than the Transmission Control Protocol (TCP). Services that run on UDP can make use of the client and server model that TCP uses, but it can also transfer data without an established connection and send data to multiple computers with a single packet. This blog entry discusses UDP port scanning, active services enumeration and passive network monitoring to identify UDP services and vulnerabilities.

Probing for "open" UDP Ports

A very common question that Nessus users ask of Tenable is why there isn't a UDP port scanner option for Nessus. The short answer is that Nessus performs UDP service enumeration for 1000s of different applications but doesn't perform generic UDP port scans.

There is nothing technically wrong with performing a UDP scan, but on most networks, there is a very good opportunity to report open UDP ports incorrectly.

Probing for UDP ports consists of sending a UDP packet to each port and then either waiting for no response, potentially a UDP packet response or an ICMP (Internet Control Message Protocol) "port closed" message. If no response is received the scanner can conclude that the port is open. If an ICMP "port unreachable" message is received, the scanner can conclude the port is closed.

There are several potential false positives and false negatives that can occur here:

For many networks, when performing scans of many ports on many systems at the same time, the actual probing packet might not make it to the target host due to network congestion. Since no response is received, the scanner might conclude the port is open. If no response is received, it might consider trying again, but this could also cause more packets to be used in the probe and cause a different probe packet to not reach it's target. A slang term for the "U" in "UDP" is unreliable.  Any router or switch along the way can drop the packet if it gets too busy.

Also compounding the issue, firewall rules between the scanner and the target might explicitly deny outbound ICMP messages. For UDP packets that make their way to a closed port and have the system respond with an ICMP port unreachable message, this packet might be dropped at the egress firewall or router. Since this ICMP message isn't received, the scanner may incorrectly assume that all is good and the UDP port is indeed open.

ICMP packets may also not be sent from a host because modern TCP/IP stacks have implemented rate limiting. Although responding to a UDP probe with an ICMP port unreachable packet may be the "right thing to do", if the number of ICMP packets being sent exceeds a rate limit, they won't be sent at all. This will cause the scanner to think the UDP port is indeed open.

UDP Application Enumeration with Nessus

Nessus discovers open UDP ports by simultaneously identifying the actual application using the port. It performs this by sending specific application probes for UDP protocols (such as SNMP or DNS) and then waiting for the correct application response. This is very accurate and leaves little ambiguity if a particular UDP application is reachable or not.

Nessus does not do service fingerprinting on UDP protocols.  In other words, when probing UDP port 53, we don't send in a SQL query, DNS query and then SNMP and wait for a response.  The majority of UDP services only reply to a well written query .

For UNIX systems being scanned by Nessus with credentials, the "netstat -an" command can be used to enumerate all open ports, including UDP ports.

Nessus also learns about UDP services through queries to the SunRPC and MSRPC portmappers. Each of these protocols provides very accurate listings of both UDP and TCP services and the processes that are listening on their ports.

UDP Service Enumeration with the Passive Vulnerability Scanner

Another interesting way of identifying UDP client and server applicants in use is to simply sniff the network traffic. Tenable's Passive Vulnerability Scanner identifies a wide variety of UDP based protocols and associated vulnerabilities in both the clients and servers. This has no impact on the network and is extremely accurate.