• I have a firewall, but the scan shows my UDP ports are open. Why?
• Why do I show UDP ports open, when I BLOCKED them?
• Can I see an example of a scan report?
• Why is it good practice to re-scan?
• Why is port 113 open?

When a probe (scan) is sent to a UDP port there a twop possible responses, "open" and "closed".

Normally, a closed UDP port responds to an incoming packet by returning an "ICMP unreachable" message. Many port scanners depend on this message to list the port as "closed". Some firewall programs "absorb" the UPD packet before it ever reaches the UPD port and an "ICMP unreachable" message is not sent. In a case like this the scanner is fooled and thinks the port is "open", when it actually may be closed.

One way to tell if your firewall is exhibiting this behavior is to scan a large number of your UDP ports. Since it's impossible for your system to have several thousand ports open at once, if a UDP scan tells you they are, chances are it's your firewall doing its job.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by Mack Bolan edited by KeysCapt
last modified: 2004-02-01 05:42:47

A UDP scan works by implying state:

• If a UDP port is probed and a PORT UNREACHABLE packet comes back, the port is marked as closed.
• If a UDP port is probed and nothing comes back, it is marked as open.

If you block only certain UDP ports, then strangely, you appear to have those ports open to a scanner. It is better to simply block response from ANY and ALL UDP ports. That way, you are not giving away any information at all.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2004-02-01 05:38:05

There is an example scan result report available from the link at the top of each secure-me page called 'example scan'.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2004-02-01 05:38:29

To ensure that your security profile does not change over time, re-scans are recommended as good practice. Since computers may get re-installed, reconfigured, or upgraded, new loopholes may open up without you being aware of it, especially if the loopholes are only visible from outside.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2004-02-01 05:49:04

Port 113 is often left visible by firewalls since 113 is the IDENT port.

IDENT is used when you connect to mail servers, or to IRC servers, to find out "who" is using the service. With IDENT filtered, your ISP mail server (unlikely) or IRC server (likely) may refuse your request or take a long time to respond as it waits for a closed/open response.

It is possible to remove IDENTD as showing up as a port by reconfiguring your firewall to over-ride the default rules. As above, if IDENTD is filtered in this way, IRC and mail servers may not work properly.

You can also decide that IDENTD is safe, since just having it visible does not mean there is anything that can be exploited on your side, and live with the less than "perfect" results.

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by KeysCapt
last modified: 2004-02-01 05:50:18