A UDP Scan is a method used to identify open UDP (User Datagram Protocol) ports on a target system. Because UDP is a connectionless protocol, scanning it is significantly slower and more difficult than scanning TCP.
Unlike TCP, there is no “handshake” to confirm a connection, which makes the results harder to interpret.
How It Works
When you perform a UDP scan (in Nmap, the flag is -sU), the scanner sends a UDP packet to a specific port and waits for a response:
-
If the port is Open: The application might respond with its own UDP packet, or (more commonly) it will send nothing at all.
-
If the port is Closed: The target system’s operating system should send back an ICMP Type 3, Code 3 (Destination Unreachable: Port Unreachable) message.
-
If the port is Filtered: The scanner receives a different ICMP unreachable error (Types 1, 2, 9, 10, or 13) or no response at all.
Challenges with UDP Scanning
As you’ll find in your PenTest+ studies and your Linux lab experiments, UDP scans are often frustrating for a few reasons:
-
The “No Response” Dilemma: Because an open port often sends back nothing, it is difficult to distinguish between an Open port and a port that is Filtered by a firewall. Nmap often labels these as
open|filtered. -
Slow Performance: To prevent being overwhelmed, Linux and Unix systems often rate-limit ICMP error messages (e.g., only one “Port Unreachable” per second). This makes scanning all 65,535 UDP ports incredibly slow compared to TCP.
-
False Positives: Some firewalls are configured to drop packets silently, making a closed port appear “open|filtered.”
Common UDP Services to Watch
When pentesting, you usually don’t scan all UDP ports. Instead, you target the “Big 5” that are most likely to be active:
| Port | Service | Importance |
|---|---|---|
| 53 | DNS | Critical for name resolution; often allows zone transfers. |
| 67 / 68 | DHCP | Used for IP assignment; can be used for “starvation” attacks. |
| 123 | NTP | Network Time; can be abused for DDoS amplification. |
| 161 | SNMP | Simple Network Management; often leaks system info via default strings like “public.” |
| 500 | ISAKMP | Used for VPN negotiations; critical for attacking encrypted tunnels. |