5

I try to understand differences between TCP and UDP packet on the error-checking. I know that UDP packets are connectionless and doesn't care that the packet will arrive the destination safely. And TCP packet is the opposite of UDP.

My question is, if a packet send into a closed port of a remote host, what action will take place on UDP and TCP packets?

UDP packet - response with an ICMP (Code-3)? TCP packet - response with a RST packet?

ebyrock
  • 61
  • 2
  • 2
  • 3

3 Answers3

7

According to the RFC 793 Reset Generation rules:

As a general rule, reset (RST) must be sent whenever a segment arrives
which apparently is not intended for the current connection.  A reset
must not be sent if it is not clear that this is the case.

There are three groups of states:

 1.  If the connection does not exist (CLOSED) then a reset is sent
 in response to any incoming segment except another reset.  In
 particular, SYNs addressed to a non-existent connection are rejected
 by this means.

Since the port is closed (not listening or communicating) there is no connections and because of that TCP is supposed to reply with a RST package.

RFC 768 for UDP does not specify any action on a closed port but the ICMP RFC 792 specifies a message Type 3 Code 3, Destination Unreachable: Destination port unreachable that may be sent.

However, ports only actually do this if they are unfiltered. Filtered connections do not reply at all and simply drop the packet. Filtering is usually done by any firewall worthy of the name since it makes attackers jobs harder by providing less information.

Community
  • 1
Anders J
  • 146
  • 7
  • 1
    i'm not sure whether it makes an attackers job harder. Gibson aka 'mr stealth' got a lot of flack for calling that 'stealth' as if it was more secure(and spread FUD re closed portd). if somebody tried to attack a host that didn't exist I think they might get a response that it doesn't exist so if a packet leaves and no response is given that indicates that something is there. according to what i read once anyway. There is a lot of criticism of gibson but it tends to get removed any time it's written here. eg http://chat.stackexchange.com/transcript/14589/2014/5/18/23-24 – barlop Jun 03 '14 at 17:07
  • @barlop I stumbled on the Gibson page of Attrition.org yesterday. Some of the things there was really damaging to my opinion of him. I removed the line where I refered to Shield's Up. Anyways, most routers follow the ICMP RFC and send a Host Unreachable message if the host doesn't exist. An attacker still wouldn't know exactly where the packet got filtered / dropped. All he'd know is that the host exists. – Anders J Jun 13 '14 at 15:15
0

with UDP you may see in Wireshark:

52081 14:12:05.897100 37.xxx.xxx.xxx 5060 port-xxxx.xxxnet.de ICMP 406 47445 Destination unreachable (Port unreachable)

Port here is 47445. 37.xxx.xxx.xxx is your IP, port--xxxx.xxxnet.de the server who is trying.

Ralf Viellieber
  • 1
  • 1
  • 1
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Sep 13 '22 at 13:57
0

It's worth mentioning that, even if a server udp port is closed, you can still observe udp packets sent from a client to that closed port.

Try:

Server:

sudo tcpdump -n -i eth0 udp and dst port 8080 -X

replace eth0 to your own network card interface and 8080 to your closed port on server side.

Client:

echo "send from client, udp protocol" | nc -u [server ip] 8080
Rick
  • 254
  • 4
  • 14