UDP Ping
Attack Pattern ID: 298 (Detailed Attack Pattern Completeness: Stub)Typical Severity: LowStatus: Draft
+ Description

Summary

An attacker sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an ICMP port unreachable message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ' ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts. A UDP Ping has the following characteristics:

1. Host Discovery: Can be used to discover if a host is alive via ICMP Port Unreachable Messages.

2. Effective Against: Firewalls that allow some incoming UDP which are not configured to block egress ICMP messages.

3. Weak Against: Firewalls properly configured to block UDP datagrams that are also block egress ICMP messages.

4. Port State: Able to determine if a port is closed via ICMP Port Unreachable Messages.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

+ Attack Prerequisites

The ability to send a UDP datagram to a remote host and receive a response.

+ Resources Required

The ability to craft custom UDP Packets for use during network reconnaissance. UDP pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern292Host Discovery 
Mechanism of Attack1000
+ References
Stuart McClure, Joel Scambray, George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
J. Postel. "RFC768 - User Datagram Protocol". 1980. <http://www.faqs.org/rfcs/rfc768.html>.
Mark Wolfgang. "Host Discovery with Nmap". 2002. <http://nmap.org/docs/discovery.pdf>.
Gordon "Fyordor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". 3rd "Zero Day" Edition, . Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
Back to top