The Internet is complex system composed of many different protocols and implementations. Sometimes, it's very buggy. It contains many poorly documented devices and operators that are implementing policies that aren't well measurable. Often, measured data isn't perfect, partial, not friendly, etc. Further, understanding such data is difficult and requires some skills and practice.
Generally, any task related to data and working with it often entails collecting as much data as possible and merging the obtained data. Mainly, recorded data from the network gives us only partial view about the whole network. As there is so much information to be collected, we're unable to process it all in reasonable time. Much information given shows us how complex, resilient to failures yet sensitive to attack, the Internet really is.
Simply said, collecting as much data as we can from the target network gives us better chance to get the most reliable and correct data of the whole network. Receiving information from as many routers and active network devices as possible is the best way for us. However, when a machine on the Internet receives an invalid packet from sender, it answers the sender with an error message using the dedicated ICMP protocol (see my previous guide Secrets of Magic Called Ping). Many tools rely on this feature when receiving errors. One of those is UDP ping, a tool designed to send a UDP packet to a target on an unallocated port and waits for a specific error answer.
The most basic and correct way to retrieve data is targeting as many devices on the target network as we can. However, uniformly choosing, at random, a target node on the Internet network is not generally possible. First, notice that it's pretty easy to sample a random IP address. This is nothing but a 32 bit integer, but a random IP address is not a random note. Routers may have more than one interfaces or IP addresses. Any random IP address we generate may belong to routers, end-hosts or even to routers behaving incorrectly (they do not answer to probes).Understanding all these basic facts leads us to use general penetration and probing tools such as UDP ping. Generally, the UDP ping was tool developed for discovering machines in the Internet and their interfaces. UDP ping tool parameters are similar to TCP. We need to provide:
- Source interface – interface of monitoring host that we use the tool on (often end-host with only one interface)
- Target interface – IP address of the target machine
- UDP destination port – range of 49152 – 65535 (UDP ports in this range are usually not allocated)
The goal of UDP ping is to detect if there is an active host on the target interface (IP address). To do so, UDP ping sends an IP packet carrying a UDP packet. Once the packet is sent, UDP ping listens to all incoming ICMP messages. If the target interface corresponds to an active host, then, after receiving the packet, detection of “port is unreachable” is a must.The target machine generates a type 3 ICMP message (Destination Unreachable) with error code 3 (Port Unreachable). UDP ping then exits with a success code and returns IP address of the target. As an opposite result, after a set amount of time, if UDP ping has not caught any ICMP messages, it exits with a failure code. This can happen for many reasons:
- The target IP address does not belong to any active device
- It belongs to an active device, but it discards UDP errors without sending ICMP error message
- It belongs to an active device that sends ICMP error message, but this message is filtered on its way back to our monitoring host
- The target is located beyond a firewall that silently discards unwanted UDP traffic
- The port we use for probing is open/used, therefore no error message is being generated
Using UDP ping from multiple sources to the same target is called Distributed UDP ping. If the set of monitors is well distributed and large enough, you may obtain several interfaces of the target or even bypass some of filters on the target network.UDP ping requires high privileges to execute the binary code, send the packet and listen to/decode all incoming ICMP messages. Therefore, on most UNIX systems, it requires root privileges. Since receiving a large amount of UDP messages from distributed machines can look like a distributed attack by the target host, extreme care must be taken to not send all the UDP messages at once. It’s recommended to use a delay.