Scanning
UDP ports is very different than scanning TCP - you may, or may not get any result back from probing an
UDP port as
UDP is a connectionless
protocol.
The SG portscan technique is to send 0 byte
UDP packets to each port on the target machine. If we receive an "
ICMP Port Unreachable" message, then the port is closed. If an
UDP response is received to the probe (unusual), the port is open. If we get no response at all, the state is "open|filtered", meaning that the port is either open or
packet filters are blocking the communication.
ISPs can filter some
UDP ports (your
ISP kills the port probe before it gets to you), and the scan does not get the "
ICMP Port Unreachable" back, remaining in the open|filtered state.
Our portscan also keeps track of the number of
UDP ports that don't reply with "
ICMP Port Unreachable" and after scanning a large enough number (25+) of
UDP ports it can make a reasonable determination whether some
packet filtering is in play and ports are actually being filtered.
Notes:
Some ISPs filter UDP traffic on Netbios ports (137, 138, 139), such as some subnets of Mediaone/AT&T RoadRunner networks, others may filter UDP traffic on port 31337 (as nothing good ever rode into town on that Black Orifice port).
UDP scanning can also be painfully slow since most hosts implement a suggestion in RFC 1812 (section 4.3.2.8) of limiting the ICMP error message rate.
