UDP questions! All ports open!

[lawrence171]

Hi! Yesterday, I somehow decided to dowload a port scanner, so, I downloaded it, and ran it against some servers and my own personal system. However, this is what I found out. This scanner is simple an fast, and it supports TCP and UDP scan. The only thing that surpised me is that it seems that according to the scanner, all of my TCP ports are either closed or invisible, but however most of my UDP ports (almost all) are open.

So... I decided to run a UDP port scan against two other servers. Netscape.com, and Thawte.com. The result? Most of the UDP ports were reported in the port scanner windows ( assume that then it means those ports are open as this is what happened when I did TCP scan, all open ports were reported). Even on netscape.com or thawte.com, most UDP ports are open. What does this mean? Does this mean that Firewalls today only protects you against attacks launched from the TCP protocol and not UDP?

Thankx

[souleman]

UDP is a connectionless protocol. It is great for a DNS attack, but there isn't much else you can do with it. Not to worried about someone taking root from a udp packet.

Thats why I always say that "stealth mode" is a crock of ****, because your machine can still be pinged (udp packet), so it isn't really invisible.

[slarty]

AFAIK, scanners determine if UDP ports are open because according to the relevant RFCs, sending an empty UDP packet to a non-open port should send an ICMP port unreachable back.

If there is a real application listening on the port, it probably won't respond to an empty packet (or will send back an error message using its own protocol). Seeing as few server programs expect empty messages, they will normally ignore it (A few server protocols like time and daytime actually expect empty packets and respond to them)

The problem with this is, a scanner *CANNOT* distinguish an open and a firewalled port if it doesn't get a response (from the application layers) (unlike TCP, where open ports, closed ports and firewalled ports all look different)

Therefore, if you scan a firewalled host, it may look like every port is open.

[lawrence171]

So..... the scanner came up with false results?

[slarty]

False results, yes

But not because it's broken, but because it is impossible for it not to.

[lawrence171]

OK! Thankx a-lot

[NetwrkBurn]

Dude if the scanner is right then you need to get a firewall and antivirus because if your udp ports are open then your introuble