UDP Scan (-sU)
Requires Privileged Access: YES
Identifies TCP Ports: NO
Identifies UDP Ports: YES

UDP has no need for SYNs, FINs, or any other fancy handshaking. With the UDP protocol, packets are sent and received without warning and prior notice is not usually expected. This lack of a formal communications process greatly simplifies UDP scanning!


UDP Scan Operation

A station that responds with an ICMP port unreachable is clearly advertising a closed port:

sU_closed
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.10] UDP: D=971 S=43347 LEN=8
[192.168.0.10] [192.168.0.8]  ICMP: Destination unreachable (Port unreachable)
A station that doesn't respond to the UDP scan is considered to be open|filtered:

sU_open_filtered
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.10] UDP: D=80 S=43347 LEN=8
A station that responds with UDP data is indicative of an open port.

sU_open
Source          Destination     Summary 
--------------------------------------------------------------------------------------
[192.168.0.8]  [192.168.0.10] UDP: D=2001 S=43347 LEN=8
[192.168.0.10] [192.168.0.8]  UDP: D=43347 S=2001 LEN=40
The nmap output shows the results of the UDP scan:
# nmap -sU -v 192.168.0.10

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-11 12:44 EDT
Initiating UDP Scan against 192.168.0.10 [1478 ports] at 12:44
Discovered open port 2001/udp on 192.168.0.10
The UDP Scan took 1.47s to scan 1478 total ports.
Host 192.168.0.10 appears to be up ... good.
Interesting ports on 192.168.0.10:
(The 1468 ports scanned but not shown below are in state: closed)
PORT     STATE         SERVICE
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
445/udp  open|filtered microsoft-ds
500/udp  open|filtered isakmp
1031/udp open|filtered iad2
1032/udp open|filtered iad3
1900/udp open|filtered UPnP
2001/udp open          wizard
4500/udp open|filtered sae-urn
MAC Address: 00:30:48:11:AB:5A (Supermicro Computer)

Nmap finished: 1 IP address (1 host up) scanned in 2.241 seconds
               Raw packets sent: 1489 (41.7KB) | Rcvd: 1470 (82.3KB)
#

Advantages of the UDP Scan
Since there's no overhead of a TCP handshake, the UDP scan is inherently less "chatty" once it finds an open port. However, if ICMP is responding to each unavailable port, the number of total frames can exceed a TCP scan by about 30%!

Microsoft-based operating systems do not usually implement any type of ICMP rate limiting, so this scan operates very efficiently on Windows-based devices.


Disadvantages of the UDP Scan
The UDP scan only provides port information only. If additional version information is needed, the scan must be supplemented with a version detection scan (-sV) or the operating system fingerprinting option (-O).

The UDP scan requires privileged access, so this scan option is only available on systems with the appropriate user permissions.

clock
RFC 1812 provides recommendations for limiting the rate of ICMP messages from a single device. The implementation of the rate limiting is not specifically defined, but the RFC suggests methods that would send ICMP messages relative to the number of received frames, ICMP messages every T milliseconds, or ICMP messages relative to the available bandwidth. If a device has implemented ICMP rate limits, nmap will automatically slow the scan rate to match the ICMP rates.


When to use the UDP Scan Because of the huge amount of TCP traffic on most networks, the usefulness of the UDP scan is often incorrectly discounted. There are numerous examples of open UDP ports caused by spyware applications, Trojan horses, and other malicious software. The UDP scan will locate these open ports and provide the security manager with valuable information that can be used to identify and contain these infestations.