UDP port scan results

From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: Fri Apr 19 2002 - 20:10:36 EDT

• Next message: Stephan Holtwisch: "Telephone network mapper"
• Previous message: Franck Veysset: "Re: OS fingerprinting technique"
• Next in thread: Dawes, Rogan (ZA - Johannesburg): "RE: UDP port scan results"
• Maybe reply: Dawes, Rogan (ZA - Johannesburg): "RE: UDP port scan results"
• Reply: Anders Thulin: "Re: UDP port scan results"
• Maybe reply: Dario N. Ciccarone: "RE: UDP port scan results"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

After having my previous post blocked and being asked to "search the
archives", I did just that but only found one post (using "UDP" as the
search criteria) that kind of had an answer. I did some digging around on
the net, and found a site that had a better answer. The question was why all
UDP ports are show as opened using various port scanners. The answer seems
to be, and it kind of makes sense, that UDP being connectionless, the
scanner has no real method to differentiate between an opened port, and a
port that was silently dropped (which most firewalls should[1] do). The only
way to know for sure that a port is closed would be to get a response
indicating a closed port (i.e. ICMP response). This has led me to some other
questions.

Is there a port scanner on the market (free or $$$) that does not generate
the "false positive" result of a UDP scan against a stealth host? For
example, rather than reporting the ports opened, it only reports those ports
it gets some sort of response from as opened, and reports the rest as "may
be opened", "state unknown" or something similar.

If a UDP scan is run against a host, and rather than showing all ports the
results show only certain ports opened, should this be considered a bad
security situation, and if so why? My thoughts are that yes, it should be,
as the host is not functioning in a "stealth" mode, which I think is a more
secure process[1]. Simply put, a scanner can know with certainty which ports
are opened if only certain ports are listed, where as in the other
situation, every port appears to be opened.

Any opinions/answers from the list? Thanks.

Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan@bmc.com
http://www.bmc.com

[1] I say should because most references I have seen recommend a firewall
operating in a stealth fashion as being more effective since it requires any
scanning, etc. to time out before proceeding causing more time to pass and
increasing the likelihood of catching it occurring.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Stephan Holtwisch: "Telephone network mapper"
• Previous message: Franck Veysset: "Re: OS fingerprinting technique"
• Next in thread: Dawes, Rogan (ZA - Johannesburg): "RE: UDP port scan results"
• Maybe reply: Dawes, Rogan (ZA - Johannesburg): "RE: UDP port scan results"
• Reply: Anders Thulin: "Re: UDP port scan results"
• Maybe reply: Dario N. Ciccarone: "RE: UDP port scan results"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT