Re: UDP Reporting issues

[David Fifield <david () bamsoftware com>]

On Tue, May 18, 2010 at 09:43:55AM -0700, Wolf Halton wrote:
> I have read that reporting for UDP has been "normalized" to show open
> | filtered when the -sU test is run "to keep terrified newbies from
> panicking because they think they have bo2k."  I did a test recently
> on a UNIX box that had a firewall rule for UDP ports set to drop
> silently all incoming, not requested, packets.  The test took a long
> long time and returned most of the tested ports as open | filtered
> with trinoo controllers and bo2k.  I am not a newbie, and this
> reporting behavior isn't very useful.  Running NMap 5 on Kubuntu
> 10.04.  Is there a simple way to set the behavior to ignore
> non-responsive ports instead of returning trinoo and bo2k on open |
> filtered ports?  

Can you paste in the output that you see? (You can remove IP addresses
and anything else.)

What you have described above is very normal. When a firewall drops all
unsolicited packets, it is indeed "filtering" them. In the case of UDP,
that unfortunately is indistinguishable from a port being open in most
cases. That's why Nmap says "open|filtered" and doesn't just assume the
port is open. Ignoring unresponsive ports, in the case of UDP, means
ignoring open ports too, so you probably don't want that.

It's normal for UDP scans to take a long time. You can usually only do
one port per second max against Linux. To speed it up, scan fewer ports
with an option like --top-ports 500. Using the -sV option can
distinguish between open and open|filtered for some ports.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/