Penetration Testing mailing list archives
UDP port scan results
From: "Noonan, Wesley" <Wesley_Noonan () bmc com>
Date: Fri, 19 Apr 2002 19:10:36 -0500
After having my previous post blocked and being asked to "search the archives", I did just that but only found one post (using "UDP" as the search criteria) that kind of had an answer. I did some digging around on the net, and found a site that had a better answer. The question was why all UDP ports are show as opened using various port scanners. The answer seems to be, and it kind of makes sense, that UDP being connectionless, the scanner has no real method to differentiate between an opened port, and a port that was silently dropped (which most firewalls should[1] do). The only way to know for sure that a port is closed would be to get a response indicating a closed port (i.e. ICMP response). This has led me to some other questions. Is there a port scanner on the market (free or $$$) that does not generate the "false positive" result of a UDP scan against a stealth host? For example, rather than reporting the ports opened, it only reports those ports it gets some sort of response from as opened, and reports the rest as "may be opened", "state unknown" or something similar. If a UDP scan is run against a host, and rather than showing all ports the results show only certain ports opened, should this be considered a bad security situation, and if so why? My thoughts are that yes, it should be, as the host is not functioning in a "stealth" mode, which I think is a more secure process[1]. Simply put, a scanner can know with certainty which ports are opened if only certain ports are listed, where as in the other situation, every port appears to be opened. Any opinions/answers from the list? Thanks. Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 wnoonan () bmc com http://www.bmc.com [1] I say should because most references I have seen recommend a firewall operating in a stealth fashion as being more effective since it requires any scanning, etc. to time out before proceeding causing more time to pass and increasing the likelihood of catching it occurring. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- UDP port scan results Noonan, Wesley (Apr 22)
- Re: UDP port scan results Anders Thulin (Apr 23)
- <Possible follow-ups>
- RE: UDP port scan results Dawes, Rogan (ZA - Johannesburg) (Apr 22)
- Re: UDP port scan results Franck Veysset (Apr 26)
- Re: UDP port scan results R. DuFresne (Apr 26)
- Re: UDP port scan results Franck Veysset (Apr 26)
- RE: UDP port scan results Dario N. Ciccarone (Apr 24)