nmap udp scanning

When a host receives a UDP packet, what is supposed to happen is that if the host isn't listening on that port, it should reply with a ICMP Port Unreachable (ICMP Type 3, Code 3).  If it is listening on that port, the packet contents are fed to the listening application and processed.  If the application does not understand the packet contents, it might reply with an error, but most likely will drop the packet and not reply at all.

What UDP Protocol Awareness brings is a better payload.  With protocol awareness, a scan of the UDP DNS port for instance (udp/53), might be a an actual dns request.  A scan of an NTP (network time protocol) port could be an NTP timestamp or time request.  The application receives a valid packet, and if there is a listening port, a valid response is sent back to the scanner, and the scanner can now know for certain that this port is open!

Don't forget about ICMP rate limiting ! Most non-Microsoft systems limit the total of ALL forms of ICMP to a few per second, making ICMP port unreachables even less reliable for determining if a port is really closed :-(

本文出自 “漫步Hacking时空” 博客，谢绝转载！