Home > CAPEC List > CAPEC-298: UDP Ping (Version 2.11)  

CAPEC-298: UDP Ping

UDP Ping
Definition in a New Window Definition in a New Window
Attack Pattern ID: 298
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an ICMP port unreachable message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ' ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts. A UDP Ping has the following characteristics:

  • 1. Host Discovery: Can be used to discover if a host is alive via ICMP Port Unreachable Messages.
  • 2. Effective Against: Firewalls that allow some incoming UDP which are not configured to block egress ICMP messages.
  • 3. Weak Against: Firewalls properly configured to block UDP datagrams that are also block egress ICMP messages.
  • 4. Port State: Able to determine if a port is closed via ICMP Port Unreachable Messages.
+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities


Target Attack Surface Types: Host

+ Attack Prerequisites
  • The ability to send a UDP datagram to a remote host and receive a response.

+ Typical Severity


+ Resources Required

The ability to craft custom UDP Packets for use during network reconnaissance. UDP pings can be performed via the use of a port scanner or by raw socket manipulation using a scripting or programming language. Packet injection tools are also useful for this purpose. Depending upon the technique used it may also be necessary to sniff the network in order to see the response.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
"Varies by context"
Bypass protection mechanism
Hide activities
+ References
[R.298.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 47. 6th Edition. McGraw Hill. 2009.
[R.298.2] [REF-27] J. Postel. "RFC768 - User Datagram Protocol". August 28, 1980. <http://www.faqs.org/rfcs/rfc768.html>.
[R.298.3] [REF-28] Mark Wolfgang. "Host Discovery with Nmap". November 2002. <http://nmap.org/docs/discovery.pdf>.
[R.298.4] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.6.3 TCP UDP Ping, pg. 63. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017