The lack of structure in UDP makes data transfers fast because UDP lacks the overhead of a data acknowledgment scheme like the one in TCP. But that lack of structure also means that UDP has no built-in mechanism for convincing a system to stop sending UDP packets.
UDP stacks do, however, utilize ICMP as a rudimentary response mechanism: If a UDP packet is sent to a port where no UDP server is listening (and the packet is not intercepted by a firewall first), then an ICMP Port Unreachable message is usually sent in return. For example, if we allow UDP packets to port 5001 through the iptables firewall but do not bind a UDP server to this port, we see the ICMP Port Unreachable message returned to the UDP client, as shown in bold below:
[iptablesfw]# iptables -I INPUT 1 -p udp --dport 5001 -j ACCEPT [ext_scanner]$ echo -n "aaaa" | nc -u 71.157.X.X 5001 [iptablesfw]# tcpdump -i eth0 -l -nn port 5001
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:12:30.119336 IP 144.202.X.X.40503 > 71.157.X.X.5001: UDP, length 4 15:12:30.119360 IP 71.157.X.X > 144.202.X.X: ICMP 71.157.X.X udp port 5001 unreachable, length 40
6 Deploying SYN cookies requires either that the local TCP stack supports SYN cookies or that a separate inline device can proxy TCP connections through a stack that supports them.
Intrusion detection systems and firewalls can also generate ICMP Port Unreachable messages in response to UDP traffic. The iptables REJECT target supports this response with the --reject-with icmp-port-unreachable command-line argument. For example, the following rule sends an ICMP Port Unreachable message upon receiving a UDP packet at port 5001, and (as with all packets generated by iptables) the ICMP Port Unreachable message is manufactured from within the kernel before the UDP stack ever has a chance to see it. With this rule in place on the firewall, it does not matter whether a UDP server is bound to port 5001 or not. To demonstrate this point, we'll start a UDP server listening on port 5001 on the firewall at before sending the UDP packet from the client, and we'll show at © that an ICMP message is sent even though the server is bound to the port:
[iptablesfw]# iptables -I INPUT 1 -p udp --dport 5001 -j REJECT --reject-with icmp-port-unreachable
[ext_scanner]$ echo -n "aaaa" | nc -u 71.157.X.X 5001 [iptablesfw]# tcpdump -i eth0 -l -nn port 5001
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:28:55.949157 IP 144.202.X.X.31726 > 71.157.X.X.5001: UDP, length 4 15:28:55.949264 IP 71.157.X.X > 144.202.X.X: ©ICMP 71.157.X.X udp port 5001 unreachable, length 40
Was this article helpful?