向目标端口发送一个UDP分组。如果目标端口以“ICMP port unreachable”消息响应,那么说明该端口是关闭的;反之,如果没有收到“ICMP port unreachable”响应消息,则可以肯定该端口是打开的。由于UDP协议是面向无连接的协议,这种扫描技术的精确性高度依赖于网络性能和系统资源。另外,如果目标系统采用了大量分组过滤技术,那么UDP扫描过程会变得非常慢。如果你想对Internet进行UDP扫描,那么你不能指望得到可靠的结果。
Port numbers 0 through 1023 are well-known ports that systems administrators usually use for only system processes or for programs that privileged users are running. If attackers exploit a well-known port, they can potentially gain control of a server.
In an effort to compromise a network, attackers use several generic schemes to scan ports. The following examples focus on TCP and UDP scanning:
TCP connect() scanning is the most basic form of TCP scanning. An attacker's host issues a connect() system call to every interesting port on the target machine. If the port is listening, connect() will succeed; otherwise, the port is unreachable and the service is unavailable. This attack scheme is fast and doesn't require any special privileges; however, port scanner can easily detect and block this attack at the target system.
UDP Internet Control Message Protocol (ICMP) port unreachable scanning is one of the few UDP scans. UDP is a connectionless protocol, so it's harder to scan than TCP because UDP ports aren't required to respond to probes. Most implementations generate an ICMP port unreachable error when a user (or intruder) sends a packet to a closed UDP port. Thus, a lack of a response indicates an active port. Unfortunately, UDP port scanning is not as reliable as TCP port scanning. If you have a firewall between you and the internet that blocks UDP traffic by simply dropping the packet, and sends no response, our port scan will detect this as an indication of an open port.