We describe a (seemingly) new scanning technique for determining whether a UDP port is open without sending IP packets with the scanner’s IP to the target. It is a (UDP specific) variant of the TCP Idle Scan1 that was uncovered 20 years ago. It proceeds similarly to the TCP RST Ratelimit Scan2, but uses ICMP rate limiting as the side-channel. It only works for UDP protocols where we can solicit a reply.3 For a list of such protocols, see e.g. ZMap’s UDP Probe Module4 or NMap’s payloads5.
Consider three machines:
S : Scanner
Z : Zombie, we assume Z is sufficiently close to S to allow burst IP packets to arrive in, well, bursts. We also assume the zombie is running a Linux kernel with version at least v3.18-rc16 and with default options set. In particular, we assume
icmp_msgs_burst = 50 (other small values are fine, too) and
icmp_ratemask = 0x1818. We will make use of the
Destination Unreachable bit being set.7
T : Target, we wish to check if the target is listening on
$UDPPORT, speaking a protocol for which we can solicit a reply (e.g
SIP or anything speaking
DTLS, see above).
The scan proceeds as follows:
- S(Z) -> T: 1 UDP packet to
$UDPPORTat T, spoofed from Z’s IP address
- S -> Z: 49 UDP packets to a closed port from 49 different spoofed source IPs (to prevent per host ICMP rate limiting to kick in)
- T -> Z: If the target port is open then the target will respond to Z. Otherwise an
ICMP Destination Unreachablemessage is sent from the target to the zombie.
- Z -> T: If a UDP response was generated, the zombie will respond with
ICMP Destination Unreachablemessage to the target. Otherwise, nothing happens.
- S -> Z: 1 UDP probe to some closed port.
- Z -> S: If the zombie has exhausted its budget of 50 burst messages by responding to the target, the scanner will not receive a response. Otherwise, it will.
Note: A variant of this scan is to target
icmp_msgs_per_sec which is 1000 by default.