UDP port scan results

From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: 04/20/02 

From: "Noonan, Wesley" <Wesley_Noonan@bmc.com>
To: "'pen-test@securityfocus.com'" <pen-test@securityfocus.com>
Date: Fri, 19 Apr 2002 19:10:36 -0500

After having my previous post blocked and being asked to "search the
archives", I did just that but only found one post (using "UDP" as the
search criteria) that kind of had an answer. I did some digging around on
the net, and found a site that had a better answer. The question was why all
UDP ports are show as opened using various port scanners. The answer seems
to be, and it kind of makes sense, that UDP being connectionless, the
scanner has no real method to differentiate between an opened port, and a
port that was silently dropped (which most firewalls should[1] do). The only
way to know for sure that a port is closed would be to get a response
indicating a closed port (i.e. ICMP response). This has led me to some other
questions.

Is there a port scanner on the market (free or $$$) that does not generate
the "false positive" result of a UDP scan against a stealth host? For
example, rather than reporting the ports opened, it only reports those ports
it gets some sort of response from as opened, and reports the rest as "may
be opened", "state unknown" or something similar.

If a UDP scan is run against a host, and rather than showing all ports the
results show only certain ports opened, should this be considered a bad
security situation, and if so why? My thoughts are that yes, it should be,
as the host is not functioning in a "stealth" mode, which I think is a more
secure process[1]. Simply put, a scanner can know with certainty which ports
are opened if only certain ports are listed, where as in the other
situation, every port appears to be opened.

Any opinions/answers from the list? Thanks.

Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan@bmc.com
http://www.bmc.com

[1] I say should because most references I have seen recommend a firewall
operating in a stealth fashion as being more effective since it requires any
scanning, etc. to time out before proceeding causing more time to pass and
increasing the likelihood of catching it occurring.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Help with Routing and Remote Access (Win2K)
    ... It appears, however, that some PS2 games require certain TCP/UDP ports to be ... 10070-10080 TCP ... 6000-6999 UDP ... and other place to specify "Special Ports" under my "Internet Properties" ...
    (microsoft.public.windows.server.networking)
  • Re: WSAAsyncSelect stopped working
    ... the utility sends out a UDP back and waits for an ACK using ... is blocking any ports. ... the receipt of a packet, ... Netstat -a shows the UDP port on the PC side open. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Media services - cannot connect to media from internet
    ... server's active to see if a mms service is listening on 1755 TCP & UDP ... >The Windows firewall is disabled, we have a nice Cisco PIX - and 1755 is ... >open for both UDP and TCP, no ports are being blocked outbound. ... >> Cheers - Neil ...
    (microsoft.public.windowsmedia)
  • Re: FTP Server Question
    ... >>understand why the server doesn't work when I disable UDP on the ports ... >>that you need both tcp and udp enabled and I've seen information that FTP ... I'm using non-standard ports with my server. ...
    (comp.security.firewalls)
  • Re: upnp
    ... sprich Ports fuer RTP/SIP Verbindungen ... oeffnen (ne Menge UDP Ports, ... UDP = UPNP oder meinst Du wirklich UDP = User Datagram Protocol. ...
    (microsoft.public.de.german.isaserver)