ECEN 502-Introduction to Computer Security Eng. Dina Tarek L AB 4: UDP port Scanning What is UDP? • • • • • • • • UDP stands for User Datagram protocol. It is used to send a small message from one host to another. It is a connectionless protocol, i.e., transferring data from one end to another; there is no need for connection establishment. A Connection-less protocol is a protocol in which a packet transfer takes place without checking if there is a communication channel available between the client and the server. The data is just sent on to the destination, assuming that the destination is available. UDP also lies between the application layer and the network layer. It also delivers data or information in the form of packets; these packets are called user datagrams. UDP uses multiplexing to handle the outgoing user datagrams from multiple processes and demultiplexing to handle the incoming user datagrams that go to different processes on the same host. UDP provides services like the process-to-process communication, connectionless services, flow control, error control, checksum, congestion control, encapsulation, and decapsulation, queuing, multiplexing, and demultiplexing a transport layer protocol in an open systems interconnection (OSI) for client-server network applications. UDP implements a simple transmission model. It, however, does not believe in handshaking in for reliability, order or data integrity. UDP does not believe in error-checking or correction to avoid the time spent in processing at the network level. The UDP protocol does not monitor the order in which the packets are sent, and it permits these packets to be dropped and received in a different order than the one they were sent in. This helps UDP in better performance. Datagrams: are the smallest units consisting of one message unit. Advantages The following advantages are as follows. • • • One of the exciting features of UDP is neither it needs to retransmit the packets that are lost while transmission, nor does it require any connection setup. Due to this feature, the data that is sent incurs less delay in being received by the receiver. This lower delay makes UDP appropriate to be used in delaysensitive applications like audio and video. Multicast applications use UDP as they do point to multipoint. In the case of TCP is used for multicast applications, the sender needs to record the retransmissions/sending rate for multiple receivers, which would become highly complex. Much faster than TCP. Disadvantages • • • • There is no guarantee of UDP. A packet might not be delivered or might be delivered multiple times and out of order without you getting any indication of it. UDP has no flow control or congestion control. UDP suffers from worse packet loss than TCP. ECEN 502-Introduction to Computer Security Eng. Dina Tarek UDP Packet Figure 1: Structure of a UDP message • • • The Length field gives the length of the UDP payload plus the UDP header. The checksum is 16 bits long. The UDP header is 8 bytes long. • Source Port is a service access point or SAP used to indicate the local client’s session from where the packet originated. Destination Port is a service access point to indicate the client’s services request to the remote server. UDP length- The total size of the datagram consisting of UDP header information and payload data UDP Checksum – A checksum is to verify the originality of the payload data and ensure that routers or bridges in the network have not corrupted it. One of such checksum algorithm is the Standard Internet Checksum algorithm. It safeguards an application against receiving incorrect data in place of or in addition to whatever was sent. • • • ECEN 502-Introduction to Computer Security UDP port scan Technique Eng. Dina Tarek ECEN 502-Introduction to Computer Security Eng. Dina Tarek UDP port scan Technique Wireshark Filter Command / Tool UDP port scan icmp.type==3 and icmp.code==3 nmap -sU <target Here’s a Wireshark filter to identify UDP port scans: icmp.type==3 and icmp.code==3 This is how UDP port scan looks like in Wireshark: A good indicator of ongoing UDP port scanning is seeing high number of ICMP packets in our network, namely the ICMP type 3 (Destination unreachable) with code 3 (Port unreachable). These particular ICMP messages indicate that the remote UDP port is closed. If we see a high number of these packets in our network in a short period of time, it most likely means someone is doing UDP port scans (e.g. by running nmap -sU <target> ).
