UDP
Port Scanner.Explanation: The Data Flood, System Log Flood, and Rwhod-based exploits explicitly rely on the Internet Control Message Protocol (ICMP) for positive identification.
The ICMP protocol is a messaging protocol designed to exchange information between hosts, gateways, and networks connected by Internet Protocol (IP). ICMP messages are sent in several situations: when a datagram cannot reach its destination, or when a gateway can direct a host to send network traffic via a shorter route, etc.
ICMP relies on the basic services offered by IP to send and deliver messages, but it is not considered an independent higher level protocol. Instead, ICMP is considered an integral part of IP and must be included with every IP implementation. The problem is that ICMP is not a reliable protocol. For instance, if a message is not delivered correctly to a particular host, ICMP will not resend it.
Internet Scanner uses the ICMP protocol to detect whether selected User Datagram Protocol (UDP)-based services or daemons are available for selected target hosts. This is achieved by sending a series of UDP packets to the selected port that the service or daemon is bound to, and then listening for a response. If the target host responds with an ICMP port unreachable message, then it can be assumed that the service or daemon is unavailable.
If no ICMP port unreachable messages are received, then assume that either a service or daemon is bound to the selected port, or the ICMP packet was lost during transmission. This is possible, for example, when intermittent network problems occur, when scanning through certain firewalls that block the transmission of specific ICMP messages, etc. Since it is impossible to reliably differentiate between these two conditions, Internet Scanner can incorrectly assume that a particular service or daemon is available, which under certain conditions can lead to a false positive.
In an effort to reduce false alarms, Internet Scanner incorporates the following checks:
Before probing a particular port, Internet Scanner first probes a series of low, mid, and high port ranges to determine whether a target host issues ICMP port unreachable messages. If no such messages are received or issued, then Internet Scanner assumes that the target host does not issue these messages under any conditions. In such cases, Internet Scanner disables any exploit checks that directly rely on receiving these messages.
When probing a particular port, Internet Scanner sends multiple UDP packets over a selected time period. This increases the chances of receiving an ICMP port unreachable message that may be lost due to intermittent network problems.
Remedy: Increase the number of UDP packets sent to the
selected port per probe. This can be done by adjusting the values in
Common SettingsUDP
Port Scanner.