UDP port scans

["David G. Cheney" <dgc () rocketfiber com>]

I've noticed that:
1) ICMP Port Unreachable Scanning seems to still be state of the art for 
UDP port scans.
2) nmap uses this method, along with some rate limiting to get around 
the now common icmp rate limiting of many network stacks.
3) UDP scanning of my linux system (2.6.x) with nmap -sU -F produces a 
couple thousand open ports (and about 4 closed ones).

no, there is only one udp port open on my machine, and I've tried 
tweaking the icmp rate limiting parameters around to no effect.

So I guess my question is: has anyone got a better idea as to how to do 
a UDP port scan? I'm actually considering that service scanning might do 
it, though it requires that whatever is running conforms to some 
(published or not) standard behavior.

Perhaps there is a survey somewhere of UDP services and the minimum 
input that they will respond to?

--dgc

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org