dslreports logo


3.0 Results

When a probe (scan) is sent to a UDP port there a twop possible responses, "open" and "closed".

Normally, a closed UDP port responds to an incoming packet by returning an "ICMP unreachable" message. Many port scanners depend on this message to list the port as "closed". Some firewall programs "absorb" the UPD packet before it ever reaches the UPD port and an "ICMP unreachable" message is not sent. In a case like this the scanner is fooled and thinks the port is "open", when it actually may be closed.

One way to tell if your firewall is exhibiting this behavior is to scan a large number of your UDP ports. Since it's impossible for your system to have several thousand ports open at once, if a UDP scan tells you they are, chances are it's your firewall doing its job.

by Mack Bolan See Profile edited by KeysCapt See Profile
last modified: 2004-02-01 05:42:47


A UDP scan works by implying state:

• If a UDP port is probed and a PORT UNREACHABLE packet comes back, the port is marked as closed.
• If a UDP port is probed and nothing comes back, it is marked as open.

If you block only certain UDP ports, then strangely, you appear to have those ports open to a scanner. It is better to simply block response from ANY and ALL UDP ports. That way, you are not giving away any information at all.

by KeysCapt See Profile
last modified: 2004-02-01 05:38:05

There is an example scan result report available from the link at the top of each secure-me page called 'example scan'.

by KeysCapt See Profile
last modified: 2004-02-01 05:38:29

To ensure that your security profile does not change over time, re-scans are recommended as good practice. Since computers may get re-installed, reconfigured, or upgraded, new loopholes may open up without you being aware of it, especially if the loopholes are only visible from outside.

by KeysCapt See Profile
last modified: 2004-02-01 05:49:04

Port 113 is often left visible by firewalls since 113 is the IDENT port.

IDENT is used when you connect to mail servers, or to IRC servers, to find out "who" is using the service. With IDENT filtered, your ISP mail server (unlikely) or IRC server (likely) may refuse your request or take a long time to respond as it waits for a closed/open response.

It is possible to remove IDENTD as showing up as a port by reconfiguring your firewall to over-ride the default rules. As above, if IDENTD is filtered in this way, IRC and mail servers may not work properly.

You can also decide that IDENTD is safe, since just having it visible does not mean there is anything that can be exploited on your side, and live with the less than "perfect" results.

by KeysCapt See Profile
last modified: 2004-02-01 05:50:18