Name |
UDP Ping |
|
Likelyhood of attack |
Typical severity |
High |
Low |
|
Summary |
An adversary sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an 'ICMP port unreachable' message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts. |
Prerequisites |
The adversary requires the ability to send a UDP datagram to a remote host and receive a response. The adversary requires the ability to craft custom UDP Packets for use during network reconnaissance. The target's firewall must not be configured to block egress ICMP messages. |
Solutions | Configure your firewall to block egress ICMP messages. |
Related Weaknesses |
CWE ID
|
Description
|
CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-292 |
An adversary sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissance. The adversary usually starts with a range of IP addresses belonging to a target network and uses various methods to determine if a host is present at that IP address. Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet through to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response. An attack of this nature is usually carried out with a 'ping sweep,' where a particular kind of ping is sent to a range of IP addresses. |
|