RE: UDP port scan results

From: Dario N. Ciccarone (dciccaro@cisco.com)
Date: Tue Apr 23 2002 - 19:17:54 EDT


all comments are personal opinions based on personal tests - please keep that in mind !

>I think nmap has an explanation of how it determines whether a UDP port is
>listening or not.

simple. an ICMP type 3, code 3 (port unreachable) means closed port. no ICMP, open port. an ICMP 3/13 means a filtered port (code 13 is "Communication Administratively Prohibited" - RFC-1812, Requirements for Internet routers)

>However, this behaviour is easily mimicked (?sp) with a firewall in front of
>the target server. If the firewall is configured to silently drop
>unauthorised packets, the scanner will receive no response to its packets,
>and assume that ALL ports are open.

the default behaviour of, say, a PIX is to drop the packet and NOT to send anything back- hence, the port is reported as open.

>If there is a screening router in front of the target, and it is configured
>to send ICMP unreachables (fairly standard Cisco filter result), the scanner
>can report that the port is filtered, since the unreachable is coming from a
>different IP address to that of the target.

it's the other way around :)

by default, a Cisco router generates ICMP unrecheables like 3/13. adding "no icmp unre" under the incoming interface for the packet would block generation of those messages. but by default, ICMP unreachables ARE generated. And most customers DO NOT deactivate unreach generation.

>The scanner would have to try EVERY UDP protocol it knows about against
>every port, in order to discern between "not there", and "I'm ignoring
>invalid packets" on non-standard ports. An example might be a TFTP server
>running on the SNMP well-known port. It wouldn't answer to a SNMP handshake,
>but would likely respond to a TFTP handshake . . . .

and even yet, the SNMP port could be "open", but access limited to an ACL - and you would NOT see anything back. so . . .

=================================================================================================
Cisco SAFE - A Security Blueprint for Enterprise Networks
SAFE for Enterprise, SMB, IPSec VPNs, Wireless and IP Telephony
www.cisco.com/go/safe
=================================================================================================
Disclaimer:
These are my own personal opinions and not necessarily those of Cisco Systems.

Sed quis custodiet ipsos custodes?

Dario N. Ciccarone
Cisco Systems
Argentina, Paraguay, Uruguay y Bolivia
Ing. Enrique Butty 240 Piso 17
C1001ABF, Buenos Aires , Argentina
Phone/Vmail: 54-11-4341-0203
Fax: 54-11-4341-0149
dciccaro@cisco.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT