Should i be more worried about TCP listening ports than UDP listening ports ?
Printable View
Should i be more worried about TCP listening ports than UDP listening ports ?
Well, if you're concerned about security you should be worried about any unknown listening ports using any protocol.
AFAIK, TCP ports are more for data transmission, where the data needs to get to the recipient. UDP is for when it really doesnt matter, for things like streaming audio and video. IMHO, i think you should be worried a bit more about TCP than UDP
slick
slick is correct.
TCP is a connection orientated protocol.
UDP is a connectionless orientated protocol.
TCP is used for for most programs that need to make sure the data gets there.
UDP is used mostly for games, streaming adio and video. It is the faster of the two protocols cause it doesn't check to see if the data go to the recipient correctly.
Thanks for the replies
Personally, I'd still be concerned about the UDP ports as that can be a protocol used for DoS attacks and the like. Something I'm sure you'd want to avoid being the source of.
I second pwaring on this:Quote:
Originally posted here by pwaring
Well, if you're concerned about security you should be worried about any unknown listening ports using any protocol.
The mere fact that a socket is listening in udp or tcp doesn't say zip about it's vulnerability potential.
Take for example SQL server, it uses (amongst other) port udp 1434. Does udp 1434 ring a bell? That's right: slammer. Slammer was able DoS a huge number of machines by sending only a single 376 bytes datagram to SQL Server/MSDE hosts. Windows also uses udp 137-138 for NetBIOS/SMB file sharing. SNMP also uses udp 162, which can potentially reveal sensitive information. Not to forget that some game servers that use udp have also had vulnerabilities exposed. Etc.
So there's really no basis for tcp/udp discrimination as far as vulnerability goes.
Ammo
I'd definately say be concerned with UDP listening ports. The ever famous Back Orifice listened on UDP port 31337. An open UDP port is just as dangerous as an open TCP port.
anyone wants to talk about icmp?
ICMP deals in error checking and so on. The user interface for ICMP is the ping program. You can use ping to send ICMP packets and see if something responds with "Hello, I'm up and running"
ping 192.168.0.1
{192.168.0.1} Hello, I'm up and running.
Of course you can set hardware and software to NOT respond to ping.
Come on gore.. I expect better from you :)..... ICMP TYPE 8 is ICMP ECHO REQUEST which is what ping is a user interface for, and the client should (if not blocking) responde with an ICMP TYPE 0 (ECHO REPLY)... However ping is not the user interface for all ICMP. how about Type 30 which is traceroute or type 13 which is timestamp. There are many programs that make use of ICMP and provide a front-end for users to form ICMP packets and requests. The best one, IMHO, is sing (http://sourceforge.net/projects/sing). ICMP is quite an amazing protocol. You can do a lot of basic (and sometimes more advanced) osdetection using only a few ICMP packets. A good example is the TTL field in the ping reply. This can be changed on most operating systems, but if you assume the default is set you can usually get a pretty good idea as to what OS the person is running.Quote:
Originally posted here by gore
ICMP deals in error checking and so on. The user interface for ICMP is the ping program. You can use ping to send ICMP packets and see if something responds with "Hello, I'm up and running"
ping 192.168.0.1
{192.168.0.1} Hello, I'm up and running.
Of course you can set hardware and software to NOT respond to ping.
Peace,
HT
Well, lets see, I really expected better from you HTRegz! ;)Quote:
Originally posted here by HTRegz
Come on gore.. I expect better from you :)..... ICMP TYPE 8 is ICMP ECHO REQUEST which is what ping is a user interface for, and the client should (if not blocking) responde with an ICMP TYPE 0 (ECHO REPLY)... However ping is not the user interface for all ICMP. how about Type 30 which is traceroute or type 13 which is timestamp. There are many programs that make use of ICMP and provide a front-end for users to form ICMP packets and requests. The best one, IMHO, is sing (http://sourceforge.net/projects/sing). ICMP is quite an amazing protocol. You can do a lot of basic (and sometimes more advanced) osdetection using only a few ICMP packets. A good example is the TTL field in the ping reply. This can be changed on most operating systems, but if you assume the default is set you can usually get a pretty good idea as to what OS the person is running.
Peace,
HT
While the first part of your comment about icmp type 0/8 for ping is right, the part about traceroute being icmp type 30 isn't quite correct:
Yes, type 30 IS defined as traceroute. However, this is the traceroute definded in RFC1393, which is mearly a memo published in 1993 as an experimental protocol to redefine the means of doing traceroute, which was never really adopted (afaik). The way traceroute is still actually done is to send successive icmp or udp packets with TTLs of 1, 2, 3, ... N until it reaches the actual host. When the packets with insufficient TTLs expire, the router sends back a "ICMP TTL exceeded" messages to the sender, enabling him to "trace the route".
This also leads me to a second point: the TTL field isn't a feature of ping or ICMP, it's a feature of IP. It's purpose is to make sure no IP packets stay looping indefinately on the (inter)net. The way it does this is that every router, when it routes a IP packet, decrements the TTL of that packet by 1. When a router gets a packet with a TTL of 1, it discards it and sends a "icmp ttl exceeded" (icmp type 11) back to the source of that packet.
Ammo
Hehe.. I guess we all expect better from people :)
I knew the TTL stuff, I guess I just didn't elaborate very well... However the traceroute info is new to me.. I just remembered the Type 30 from reading the RFC in one of my networking classes, however we never got much past that...... Live and learn..... Now work has been productive.. I've learned something new :)