Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > How do firewalls react to UDP port scans?

Reply
Thread Tools

How do firewalls react to UDP port scans?

 
 
smerf
Guest
Posts: n/a
 
      10-01-2006
I am trying to write a freeware client/server program that needs to scan the
server's ports for the server's open UDP port.

Before I get too deep into this, are there any problems that I need to know
of if I send a probe UDP packet that looks for the server to all ports on at
the server's target IP?

The reason I am asking is that some users of this freeware server will be
behind NATs and I may have to probe for the external port assigned to the
internal server by the NAT device. The client would send an encrypted
string that the server would know how to respond to. If this encrypted
value is not what the server expected, no communication would take place.

Any help you can give would be greatly appreciated.


 
Reply With Quote
 
 
 
 
karl levinson, mvp
Guest
Posts: n/a
 
      10-01-2006

"smerf" <(E-Mail Removed)> wrote in message
newsrFTg.16014$(E-Mail Removed).. .
>I am trying to write a freeware client/server program that needs to scan
>the server's ports for the server's open UDP port.
>
> Before I get too deep into this, are there any problems that I need to
> know of if I send a probe UDP packet that looks for the server to all
> ports on at the server's target IP?


Send one UDP packet to scan all ports? I'm not sure this is possible the
way you have described it.

> The reason I am asking is that some users of this freeware server will be
> behind NATs and I may have to probe for the external port assigned to the
> internal server by the NAT device. The client would send an encrypted
> string that the server would know how to respond to. If this encrypted
> value is not what the server expected, no communication would take place.


Most client/server apps more typically will require you to either manually
configure the NAT firewall so that it will work, or know how the NAT is
configured and manually configure the client and server so it will work.
Most client/server apps also more typically have a standard port number for
the server that is recommended to be configured as a static port number in
NAT.

How is the NAT set up? Are you sure the server's port will change to an
unknown value during the NAT? How is it that the NAT port being used is not
already known? I would expect the client's source port to change
dynamically, but the server's destination port to be known by whoever
configured the NAT.


 
Reply With Quote
 
 
 
 
smerf
Guest
Posts: n/a
 
      10-01-2006

"karl levinson, mvp" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "smerf" <(E-Mail Removed)> wrote in message
> newsrFTg.16014$(E-Mail Removed).. .
>>I am trying to write a freeware client/server program that needs to scan
>>the server's ports for the server's open UDP port.
>>
>> Before I get too deep into this, are there any problems that I need to
>> know of if I send a probe UDP packet that looks for the server to all
>> ports on at the server's target IP?

>
> Send one UDP packet to scan all ports? I'm not sure this is possible the
> way you have described it.


What I meant was that the server (behind NAT1) will be expecting an
encrypted value from the client (behind NAT2).

I would send this same encrypted info to all UDP ports on the server's known
external IP to get a valid connection to the server. Of couse this would
mean sending a packet for each possible port, but the packet contents would
all be the same.

Sorry for the confusion.

>> The reason I am asking is that some users of this freeware server will be
>> behind NATs and I may have to probe for the external port assigned to the
>> internal server by the NAT device. The client would send an encrypted
>> string that the server would know how to respond to. If this encrypted
>> value is not what the server expected, no communication would take place.

>
> Most client/server apps more typically will require you to either manually
> configure the NAT firewall so that it will work, or know how the NAT is
> configured and manually configure the client and server so it will work.
> Most client/server apps also more typically have a standard port number
> for the server that is recommended to be configured as a static port
> number in NAT.
>
> How is the NAT set up?


I will not know. Neither may the server operator. Think of it as a P2P app
using UDP behind NATs.

>Are you sure the server's port will change to an unknown value during the
>NAT?


I don't want the end user to have to configure firewalls or NATs. I want
this to be as simple as possible for them.

Being behind a NAT (and not setting up any manual port forwarding) means
that the NAT will choose an unused port at random for outbound UDP
connections (just like it does for HTTP connections when you surf the web).

So, the external port for the server will be unknown.

>How is it that the NAT port being used is not already known?


See above.

>I would expect the client's source port to change dynamically, but the
>server's destination port to be known by whoever configured the NAT.


I am really trying to make this as simple as possible by not requiring the
end users to set ports in their NAT or Firewall. Also, some people may want
to use the software but not have access to the NAT or Firewall to make
manual changes.


 
Reply With Quote
 
upendra108@gmail.com
Guest
Posts: n/a
 
      10-01-2006
testing

 
Reply With Quote
 
Holger Petersen
Guest
Posts: n/a
 
      10-01-2006
"smerf" <(E-Mail Removed)> writes:

>What I meant was that the server (behind NAT1) will be expecting an
>encrypted value from the client (behind NAT2).


Do you want to tr5y to 're-invent' a wheel?

http://linide.sourceforge.net/nat-traverse/

just asking, Holger
 
Reply With Quote
 
imhotep
Guest
Posts: n/a
 
      10-03-2006
smerf wrote:

> I am trying to write a freeware client/server program that needs to scan
> the server's ports for the server's open UDP port.
>
> Before I get too deep into this, are there any problems that I need to
> know of if I send a probe UDP packet that looks for the server to all
> ports on at the server's target IP?
>
> The reason I am asking is that some users of this freeware server will be
> behind NATs and I may have to probe for the external port assigned to the
> internal server by the NAT device. The client would send an encrypted
> string that the server would know how to respond to. If this encrypted
> value is not what the server expected, no communication would take place.
>
> Any help you can give would be greatly appreciated.



Your answer is determined by the question of, is this static or dynamic NAT
you are talking about?

If it is dynamic, like the majority, but not all, NAT implementations, you
won't be able to scan as the ports are added to firewalls nat table in a
dynamic "client port" -> "firewall's external port" mapping. In other words
in Dynamic NAT configurations there is no incoming access allowed (Internet
to internal pc), generally speaking (there are special proxy ports to allow
some protocols to function correctly).

That is, if I fully understand your question. No guarantee there...

Imhotep
 
Reply With Quote
 
imhotep
Guest
Posts: n/a
 
      10-03-2006
smerf wrote:

>
> "karl levinson, mvp" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> "smerf" <(E-Mail Removed)> wrote in message
>> newsrFTg.16014$(E-Mail Removed).. .
>>>I am trying to write a freeware client/server program that needs to scan
>>>the server's ports for the server's open UDP port.
>>>
>>> Before I get too deep into this, are there any problems that I need to
>>> know of if I send a probe UDP packet that looks for the server to all
>>> ports on at the server's target IP?

>>
>> Send one UDP packet to scan all ports? I'm not sure this is possible the
>> way you have described it.

>
> What I meant was that the server (behind NAT1) will be expecting an
> encrypted value from the client (behind NAT2).
>
> I would send this same encrypted info to all UDP ports on the server's
> known
> external IP to get a valid connection to the server. Of couse this would
> mean sending a packet for each possible port, but the packet contents
> would all be the same.


Are you trying to do this to find the "secret" port???

> Sorry for the confusion.
>
>>> The reason I am asking is that some users of this freeware server will
>>> be behind NATs and I may have to probe for the external port assigned to
>>> the
>>> internal server by the NAT device. The client would send an encrypted
>>> string that the server would know how to respond to. If this encrypted
>>> value is not what the server expected, no communication would take
>>> place.

>>
>> Most client/server apps more typically will require you to either
>> manually configure the NAT firewall so that it will work, or know how the
>> NAT is configured and manually configure the client and server so it will
>> work. Most client/server apps also more typically have a standard port
>> number for the server that is recommended to be configured as a static
>> port number in NAT.
>>
>> How is the NAT set up?

>
> I will not know. Neither may the server operator. Think of it as a P2P
> app using UDP behind NATs.
>
>>Are you sure the server's port will change to an unknown value during the
>>NAT?

>
> I don't want the end user to have to configure firewalls or NATs. I want
> this to be as simple as possible for them.
>
> Being behind a NAT (and not setting up any manual port forwarding) means
> that the NAT will choose an unused port at random for outbound UDP
> connections (just like it does for HTTP connections when you surf the
> web).


Correct...

> So, the external port for the server will be unknown.


It will be dynamic...

>>How is it that the NAT port being used is not already known?

>
> See above.
>
>>I would expect the client's source port to change dynamically, but the
>>server's destination port to be known by whoever configured the NAT.

>
> I am really trying to make this as simple as possible by not requiring the
> end users to set ports in their NAT or Firewall. Also, some people may
> want to use the software but not have access to the NAT or Firewall to
> make manual changes.



Honestly, I think you will need a server in the middle. For example,
Client-A connects Internet-Server-A then Client-B connects to
Internet-Server-A, Next, they can use the Internet-Server-A as a kind of
packet proxy (for lack of a better techie word)...

This would allow you to not force any users to reconfigure their NAT
Routers, etc and would be seemless...


Just a thought...


Imhotep
 
Reply With Quote
 
smerf
Guest
Posts: n/a
 
      10-04-2006
You are quite right. It's called a packet relay server.....and it looks
like I'll be coding one.

"imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> smerf wrote:
>
>>
>> "karl levinson, mvp" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>
>>> "smerf" <(E-Mail Removed)> wrote in message
>>> newsrFTg.16014$(E-Mail Removed).. .
>>>>I am trying to write a freeware client/server program that needs to scan
>>>>the server's ports for the server's open UDP port.
>>>>
>>>> Before I get too deep into this, are there any problems that I need to
>>>> know of if I send a probe UDP packet that looks for the server to all
>>>> ports on at the server's target IP?
>>>
>>> Send one UDP packet to scan all ports? I'm not sure this is possible
>>> the
>>> way you have described it.

>>
>> What I meant was that the server (behind NAT1) will be expecting an
>> encrypted value from the client (behind NAT2).
>>
>> I would send this same encrypted info to all UDP ports on the server's
>> known
>> external IP to get a valid connection to the server. Of couse this would
>> mean sending a packet for each possible port, but the packet contents
>> would all be the same.

>
> Are you trying to do this to find the "secret" port???
>
>> Sorry for the confusion.
>>
>>>> The reason I am asking is that some users of this freeware server will
>>>> be behind NATs and I may have to probe for the external port assigned
>>>> to
>>>> the
>>>> internal server by the NAT device. The client would send an encrypted
>>>> string that the server would know how to respond to. If this encrypted
>>>> value is not what the server expected, no communication would take
>>>> place.
>>>
>>> Most client/server apps more typically will require you to either
>>> manually configure the NAT firewall so that it will work, or know how
>>> the
>>> NAT is configured and manually configure the client and server so it
>>> will
>>> work. Most client/server apps also more typically have a standard port
>>> number for the server that is recommended to be configured as a static
>>> port number in NAT.
>>>
>>> How is the NAT set up?

>>
>> I will not know. Neither may the server operator. Think of it as a P2P
>> app using UDP behind NATs.
>>
>>>Are you sure the server's port will change to an unknown value during the
>>>NAT?

>>
>> I don't want the end user to have to configure firewalls or NATs. I want
>> this to be as simple as possible for them.
>>
>> Being behind a NAT (and not setting up any manual port forwarding) means
>> that the NAT will choose an unused port at random for outbound UDP
>> connections (just like it does for HTTP connections when you surf the
>> web).

>
> Correct...
>
>> So, the external port for the server will be unknown.

>
> It will be dynamic...
>
>>>How is it that the NAT port being used is not already known?

>>
>> See above.
>>
>>>I would expect the client's source port to change dynamically, but the
>>>server's destination port to be known by whoever configured the NAT.

>>
>> I am really trying to make this as simple as possible by not requiring
>> the
>> end users to set ports in their NAT or Firewall. Also, some people may
>> want to use the software but not have access to the NAT or Firewall to
>> make manual changes.

>
>
> Honestly, I think you will need a server in the middle. For example,
> Client-A connects Internet-Server-A then Client-B connects to
> Internet-Server-A, Next, they can use the Internet-Server-A as a kind of
> packet proxy (for lack of a better techie word)...
>
> This would allow you to not force any users to reconfigure their NAT
> Routers, etc and would be seemless...
>
>
> Just a thought...
>
>
> Imhotep



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Re: Listen in promiscuous mode (Sniffer) on UDP port 162 and copypacketsto another port Gerald Klix Python 0 10-26-2005 08:11 AM
Buttons Do Not React =?Utf-8?B?SmltIEhlYXZleQ==?= ASP .Net 2 07-06-2004 05:04 AM
udp (0) -> udp (0) traffic ? Tom Cisco 2 03-04-2004 06:06 PM
How do I react on a posted article? Luc Computer Support 8 09-20-2003 01:16 AM



Advertisments