A Close Look at UDP Ping
Generally, any task related to data and working with it often entails collecting as much data as possible and merging the obtained data. Mainly, recorded data from the network gives us only partial view about the whole network. As there is so much information to be collected, we're unable to process it all in reasonable time. Much information given shows us how complex, resilient to failures yet sensitive to attack, the Internet really is.
Simply said, collecting as much data as we can from the target network gives us better chance to get the most reliable and correct data of the whole network. Receiving information from as many routers and active network devices as possible is the best way for us. However, when a machine on the Internet receives an invalid packet from sender, it answers the sender with an error message using the dedicated ICMP protocol (see my previous guide Secrets of Magic Called Ping). Many tools rely on this feature when receiving errors. One of those is UDP ping, a tool designed to send a UDP packet to a target on an unallocated port and waits for a specific error answer.
The most basic and correct way to retrieve data is targeting as many devices on the target network as we can. However, uniformly choosing, at random, a target node on the Internet network is not generally possible. First, notice that it's pretty easy to sample a random IP address. This is nothing but a 32 bit integer, but a random IP address is not a random note. Routers may have more than one interfaces or IP addresses. Any random IP address we generate may belong to routers, end-hosts or even to routers behaving incorrectly (they do not answer to probes).Understanding all these basic facts leads us to use general penetration and probing tools such as UDP ping. Generally, the UDP ping was tool developed for discovering machines in the Internet and their interfaces. UDP ping tool parameters are similar to TCP. We need to provide:
- Source interface – interface of monitoring host that we use the tool on (often end-host with only one interface)
- Target interface – IP address of the target machine
- UDP destination port – range of 49152 – 65535 (UDP ports in this range are usually not allocated)
- The target IP address does not belong to any active device
- It belongs to an active device, but it discards UDP errors without sending ICMP error message
- It belongs to an active device that sends ICMP error message, but this message is filtered on its way back to our monitoring host
- The target is located beyond a firewall that silently discards unwanted UDP traffic
- The port we use for probing is open/used, therefore no error message is being generated
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!