UDP Port Scan

Online UDP port scan available for common UDP services. The UDP port scan is part of the IP Tools range of network testing tools. The test uses the excellent Nmap Port Scanner to scan 5 of the most common UDP ports.

Ports tested in the quick UDP scan are 53, 123, 161, 5353 and 1900.

Step up and play at the next level on our hosted Online Nmap Port Scanner with a membership.


Common UDP Services

53 DNS The Domain Name System is one of the most common UDP services. It matches host names with IP addresses. DNS is a core part of the Internets plumbing.
123 NTP Network Time Protocol allows computers on the Internet to keep time. For computers to work together it helps if they can keep accurate time.
161 SNMP Simple Network Management Protocol is a monitoring and configuration protocol, commonly used to monitor system performance and interface utilization. SNMP can be a serious security vulnerability if not managed correctly.
5353 mDNS Multicast Domain Name System, this protocol is an implementation of DNS for use on local networks. It uses multicast to resolve host names to IP addresses when there is no configured DNS server. Not something you would expect to see listening on the Internet.
1900 UPNP Universal Plug and Play, is a network protocol that was designed for residential and small networks to allow devices such as printers, data sharing and entertainment devices to communicate with each other. Also, not something you would expect to see listening on Internet facing systems.

Understanding UDP Port Scans

Since UDP is a connectionless protocol, finding open ports is more difficult than testing TCP ports where you are able to get a three way TCP handshake to confirm the port is open.

In a UDP port scan there can be some ambiguity in the results. A non-responding port could be a port that is firewalled or it could be a service that has not recognized the initial packet so did not respond. The other option is that a closed port responds with an ICMP Port Unreachable message, this indicates that there is no service running on that port, however even these can be a little unreliable as a firewall may rate limit or block the ICMP port unreachable messages.

Other ICMP Port Unreachable responses can indicate that a firewall is present, so as you can see UDP Port Scans can be fun.

See the Wireshark examples below for more of an understanding.

Did you know that due to rate limiting of ICMP port unreachable messages by the operating system Nmap scans of all 65535 ports can take around 18 hours.

Security implications of open UDP services

UDP port scans should not be ignored by testers as they can leave an organization vulnerable to a number of different attacks, these include exploitable services that can lead to remote execution or even legitimate common services such as NTP and DNS can be used for DDOS reflection attacks. Understanding what services are open through the firewall is an important part of a security vulnerability assessment.

UDP Port Scan Samples

In order to understand the responses from a UDP port scan I have scanned my my local router with telnet. The scans and responses have been captured with Wireshark in order to display the UDP traffic. The captures were taken on the local host that was running the Nmap scans.

Scan of Port 53

There is no DNS server running on my router, the port is filtered by the local firewall.

Starting Nmap 7.31 ( https://nmap.org ) at 2017-03-31 12:17 AEDT
Nmap scan report for gateway (192.168.1.1)
Host is up (0.00030s latency).
PORT   STATE         SERVICE
53/udp open|filtered domain
MAC Address: 34:xx:F6:xx:A7:C8 (Unknown)

You can see the open|filtered result in Nmap. This is due to the firewall on the router dropping the UDP packet. No response can be seen in the capture.

UDP Scan of Port 53

Scan of Port 5353

Multicast DNS is running on the router, as you can see in the Nmap result showing an open port.

Starting Nmap 7.31 ( https://nmap.org ) at 2017-03-31 12:18 AEDT
Nmap scan report for gateway (192.168.1.1)
Host is up (0.00036s latency).
PORT     STATE SERVICE
5353/udp open  zeroconf
MAC Address: 34:xx:F6:xx:A7:C8 (Unknown)

In the capture you can the response from the router answering, this comes back to the localhost on a source port of 5353. The localhost then does not expect that response so generates an ICMP Port unreachable back to the router.

UDP Scan of Port 5353

Scan of Port 99

Picking a random port on the router that was not being filtered (UDP port 99) for testing purposes you can that the router responds with an ICMP Port Unreachable, which Nmap interprets as a closed port.

Starting Nmap 7.31 ( https://nmap.org ) at 2017-03-31 12:23 AEDT
Nmap scan report for gateway (192.168.1.1)
Host is up (0.00024s latency).
PORT   STATE  SERVICE
99/udp closed metagram
MAC Address: 34:xx:F6:xx:A7:C8 (Unknown)

In this test the Wireshark capture shows the scan and the ICMP response that indicates a closed port.

UDP Scan of Port 99 - closed port

More Nmap Resources

Additional resources are available on:

Have you seen our other Free IP and Network Testing tools.
Discover, Explore, Learn.
Find out More
Next level testing with advanced Security Vulnerability Scanners. Trusted tools. Hosted for easy access.
I want to Secure My Systems