Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

UDP Service and Vulnerability Enumeration

The User Datagram Protocol (UDP) transfers data much differently than the Transmission Control Protocol (TCP). Services that run on UDP can make use of the client and server model that TCP uses, but it can also transfer data without an established connection and send data to multiple computers with a single packet. This blog entry discusses UDP port scanning, active services enumeration and passive network monitoring to identify UDP services and vulnerabilities.

Probing for "open" UDP Ports

A very common question that Nessus users ask of Tenable is why there isn't a UDP port scanner option for Nessus. The short answer is that Nessus performs UDP service enumeration for 1000s of different applications but doesn't perform generic UDP port scans.

There is nothing technically wrong with performing a UDP scan, but on most networks, there is a very good opportunity to report open UDP ports incorrectly.

Probing for UDP ports consists of sending a UDP packet to each port and then either waiting for no response, potentially a UDP packet response or an ICMP (Internet Control Message Protocol) "port closed" message. If no response is received the scanner can conclude that the port is open. If an ICMP "port unreachable" message is received, the scanner can conclude the port is closed.

There are several potential false positives and false negatives that can occur here:

For many networks, when performing scans of many ports on many systems at the same time, the actual probing packet might not make it to the target host due to network congestion. Since no response is received, the scanner might conclude the port is open. If no response is received, it might consider trying again, but this could also cause more packets to be used in the probe and cause a different probe packet to not reach it's target. A slang term for the "U" in "UDP" is unreliable.  Any router or switch along the way can drop the packet if it gets too busy.

Also compounding the issue, firewall rules between the scanner and the target might explicitly deny outbound ICMP messages. For UDP packets that make their way to a closed port and have the system respond with an ICMP port unreachable message, this packet might be dropped at the egress firewall or router. Since this ICMP message isn't received, the scanner may incorrectly assume that all is good and the UDP port is indeed open.

ICMP packets may also not be sent from a host because modern TCP/IP stacks have implemented rate limiting. Although responding to a UDP probe with an ICMP port unreachable packet may be the "right thing to do", if the number of ICMP packets being sent exceeds a rate limit, they won't be sent at all. This will cause the scanner to think the UDP port is indeed open.

UDP Application Enumeration with Nessus

Nessus discovers open UDP ports by simultaneously identifying the actual application using the port. It performs this by sending specific application probes for UDP protocols (such as SNMP or DNS) and then waiting for the correct application response. This is very accurate and leaves little ambiguity if a particular UDP application is reachable or not.

Nessus does not do service fingerprinting on UDP protocols.  In other words, when probing UDP port 53, we don't send in a SQL query, DNS query and then SNMP and wait for a response.  The majority of UDP services only reply to a well written query .

For UNIX systems being scanned by Nessus with credentials, the "netstat -an" command can be used to enumerate all open ports, including UDP ports.

Nessus also learns about UDP services through queries to the SunRPC and MSRPC portmappers. Each of these protocols provides very accurate listings of both UDP and TCP services and the processes that are listening on their ports.

UDP Service Enumeration with the Passive Vulnerability Scanner

Another interesting way of identifying UDP client and server applicants in use is to simply sniff the network traffic. Tenable's Passive Vulnerability Scanner identifies a wide variety of UDP based protocols and associated vulnerabilities in both the clients and servers. This has no impact on the network and is extremely accurate.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.