How do firewalls react to UDP port scans?

Discussion in 'Computer Security' started by smerf, Oct 1, 2006.

  1. smerf

    smerf Guest

    I am trying to write a freeware client/server program that needs to scan the
    server's ports for the server's open UDP port.

    Before I get too deep into this, are there any problems that I need to know
    of if I send a probe UDP packet that looks for the server to all ports on at
    the server's target IP?

    The reason I am asking is that some users of this freeware server will be
    behind NATs and I may have to probe for the external port assigned to the
    internal server by the NAT device. The client would send an encrypted
    string that the server would know how to respond to. If this encrypted
    value is not what the server expected, no communication would take place.

    Any help you can give would be greatly appreciated.
     
    smerf, Oct 1, 2006
    #1
    1. Advertising

  2. "smerf" <> wrote in message
    news:xrFTg.16014$...
    >I am trying to write a freeware client/server program that needs to scan
    >the server's ports for the server's open UDP port.
    >
    > Before I get too deep into this, are there any problems that I need to
    > know of if I send a probe UDP packet that looks for the server to all
    > ports on at the server's target IP?


    Send one UDP packet to scan all ports? I'm not sure this is possible the
    way you have described it.

    > The reason I am asking is that some users of this freeware server will be
    > behind NATs and I may have to probe for the external port assigned to the
    > internal server by the NAT device. The client would send an encrypted
    > string that the server would know how to respond to. If this encrypted
    > value is not what the server expected, no communication would take place.


    Most client/server apps more typically will require you to either manually
    configure the NAT firewall so that it will work, or know how the NAT is
    configured and manually configure the client and server so it will work.
    Most client/server apps also more typically have a standard port number for
    the server that is recommended to be configured as a static port number in
    NAT.

    How is the NAT set up? Are you sure the server's port will change to an
    unknown value during the NAT? How is it that the NAT port being used is not
    already known? I would expect the client's source port to change
    dynamically, but the server's destination port to be known by whoever
    configured the NAT.
     
    karl levinson, mvp, Oct 1, 2006
    #2
    1. Advertising

  3. smerf

    smerf Guest

    "karl levinson, mvp" <> wrote in message
    news:...
    >
    > "smerf" <> wrote in message
    > news:xrFTg.16014$...
    >>I am trying to write a freeware client/server program that needs to scan
    >>the server's ports for the server's open UDP port.
    >>
    >> Before I get too deep into this, are there any problems that I need to
    >> know of if I send a probe UDP packet that looks for the server to all
    >> ports on at the server's target IP?

    >
    > Send one UDP packet to scan all ports? I'm not sure this is possible the
    > way you have described it.


    What I meant was that the server (behind NAT1) will be expecting an
    encrypted value from the client (behind NAT2).

    I would send this same encrypted info to all UDP ports on the server's known
    external IP to get a valid connection to the server. Of couse this would
    mean sending a packet for each possible port, but the packet contents would
    all be the same.

    Sorry for the confusion.

    >> The reason I am asking is that some users of this freeware server will be
    >> behind NATs and I may have to probe for the external port assigned to the
    >> internal server by the NAT device. The client would send an encrypted
    >> string that the server would know how to respond to. If this encrypted
    >> value is not what the server expected, no communication would take place.

    >
    > Most client/server apps more typically will require you to either manually
    > configure the NAT firewall so that it will work, or know how the NAT is
    > configured and manually configure the client and server so it will work.
    > Most client/server apps also more typically have a standard port number
    > for the server that is recommended to be configured as a static port
    > number in NAT.
    >
    > How is the NAT set up?


    I will not know. Neither may the server operator. Think of it as a P2P app
    using UDP behind NATs.

    >Are you sure the server's port will change to an unknown value during the
    >NAT?


    I don't want the end user to have to configure firewalls or NATs. I want
    this to be as simple as possible for them.

    Being behind a NAT (and not setting up any manual port forwarding) means
    that the NAT will choose an unused port at random for outbound UDP
    connections (just like it does for HTTP connections when you surf the web).

    So, the external port for the server will be unknown.

    >How is it that the NAT port being used is not already known?


    See above.

    >I would expect the client's source port to change dynamically, but the
    >server's destination port to be known by whoever configured the NAT.


    I am really trying to make this as simple as possible by not requiring the
    end users to set ports in their NAT or Firewall. Also, some people may want
    to use the software but not have access to the NAT or Firewall to make
    manual changes.
     
    smerf, Oct 1, 2006
    #3
  4. smerf

    Guest

    do not read, just a test.

    testing
     
    , Oct 1, 2006
    #4
  5. "smerf" <> writes:

    >What I meant was that the server (behind NAT1) will be expecting an
    >encrypted value from the client (behind NAT2).


    Do you want to tr5y to 're-invent' a wheel?

    http://linide.sourceforge.net/nat-traverse/

    just asking, Holger
     
    Holger Petersen, Oct 1, 2006
    #5
  6. smerf

    imhotep Guest

    smerf wrote:

    > I am trying to write a freeware client/server program that needs to scan
    > the server's ports for the server's open UDP port.
    >
    > Before I get too deep into this, are there any problems that I need to
    > know of if I send a probe UDP packet that looks for the server to all
    > ports on at the server's target IP?
    >
    > The reason I am asking is that some users of this freeware server will be
    > behind NATs and I may have to probe for the external port assigned to the
    > internal server by the NAT device. The client would send an encrypted
    > string that the server would know how to respond to. If this encrypted
    > value is not what the server expected, no communication would take place.
    >
    > Any help you can give would be greatly appreciated.



    Your answer is determined by the question of, is this static or dynamic NAT
    you are talking about?

    If it is dynamic, like the majority, but not all, NAT implementations, you
    won't be able to scan as the ports are added to firewalls nat table in a
    dynamic "client port" -> "firewall's external port" mapping. In other words
    in Dynamic NAT configurations there is no incoming access allowed (Internet
    to internal pc), generally speaking (there are special proxy ports to allow
    some protocols to function correctly).

    That is, if I fully understand your question. No guarantee there...

    Imhotep
     
    imhotep, Oct 3, 2006
    #6
  7. smerf

    imhotep Guest

    smerf wrote:

    >
    > "karl levinson, mvp" <> wrote in message
    > news:...
    >>
    >> "smerf" <> wrote in message
    >> news:xrFTg.16014$...
    >>>I am trying to write a freeware client/server program that needs to scan
    >>>the server's ports for the server's open UDP port.
    >>>
    >>> Before I get too deep into this, are there any problems that I need to
    >>> know of if I send a probe UDP packet that looks for the server to all
    >>> ports on at the server's target IP?

    >>
    >> Send one UDP packet to scan all ports? I'm not sure this is possible the
    >> way you have described it.

    >
    > What I meant was that the server (behind NAT1) will be expecting an
    > encrypted value from the client (behind NAT2).
    >
    > I would send this same encrypted info to all UDP ports on the server's
    > known
    > external IP to get a valid connection to the server. Of couse this would
    > mean sending a packet for each possible port, but the packet contents
    > would all be the same.


    Are you trying to do this to find the "secret" port???

    > Sorry for the confusion.
    >
    >>> The reason I am asking is that some users of this freeware server will
    >>> be behind NATs and I may have to probe for the external port assigned to
    >>> the
    >>> internal server by the NAT device. The client would send an encrypted
    >>> string that the server would know how to respond to. If this encrypted
    >>> value is not what the server expected, no communication would take
    >>> place.

    >>
    >> Most client/server apps more typically will require you to either
    >> manually configure the NAT firewall so that it will work, or know how the
    >> NAT is configured and manually configure the client and server so it will
    >> work. Most client/server apps also more typically have a standard port
    >> number for the server that is recommended to be configured as a static
    >> port number in NAT.
    >>
    >> How is the NAT set up?

    >
    > I will not know. Neither may the server operator. Think of it as a P2P
    > app using UDP behind NATs.
    >
    >>Are you sure the server's port will change to an unknown value during the
    >>NAT?

    >
    > I don't want the end user to have to configure firewalls or NATs. I want
    > this to be as simple as possible for them.
    >
    > Being behind a NAT (and not setting up any manual port forwarding) means
    > that the NAT will choose an unused port at random for outbound UDP
    > connections (just like it does for HTTP connections when you surf the
    > web).


    Correct...

    > So, the external port for the server will be unknown.


    It will be dynamic...

    >>How is it that the NAT port being used is not already known?

    >
    > See above.
    >
    >>I would expect the client's source port to change dynamically, but the
    >>server's destination port to be known by whoever configured the NAT.

    >
    > I am really trying to make this as simple as possible by not requiring the
    > end users to set ports in their NAT or Firewall. Also, some people may
    > want to use the software but not have access to the NAT or Firewall to
    > make manual changes.



    Honestly, I think you will need a server in the middle. For example,
    Client-A connects Internet-Server-A then Client-B connects to
    Internet-Server-A, Next, they can use the Internet-Server-A as a kind of
    packet proxy (for lack of a better techie word)...

    This would allow you to not force any users to reconfigure their NAT
    Routers, etc and would be seemless...


    Just a thought...


    Imhotep
     
    imhotep, Oct 3, 2006
    #7
  8. smerf

    smerf Guest

    You are quite right. It's called a packet relay server.....and it looks
    like I'll be coding one.

    "imhotep" <> wrote in message
    news:...
    > smerf wrote:
    >
    >>
    >> "karl levinson, mvp" <> wrote in message
    >> news:...
    >>>
    >>> "smerf" <> wrote in message
    >>> news:xrFTg.16014$...
    >>>>I am trying to write a freeware client/server program that needs to scan
    >>>>the server's ports for the server's open UDP port.
    >>>>
    >>>> Before I get too deep into this, are there any problems that I need to
    >>>> know of if I send a probe UDP packet that looks for the server to all
    >>>> ports on at the server's target IP?
    >>>
    >>> Send one UDP packet to scan all ports? I'm not sure this is possible
    >>> the
    >>> way you have described it.

    >>
    >> What I meant was that the server (behind NAT1) will be expecting an
    >> encrypted value from the client (behind NAT2).
    >>
    >> I would send this same encrypted info to all UDP ports on the server's
    >> known
    >> external IP to get a valid connection to the server. Of couse this would
    >> mean sending a packet for each possible port, but the packet contents
    >> would all be the same.

    >
    > Are you trying to do this to find the "secret" port???
    >
    >> Sorry for the confusion.
    >>
    >>>> The reason I am asking is that some users of this freeware server will
    >>>> be behind NATs and I may have to probe for the external port assigned
    >>>> to
    >>>> the
    >>>> internal server by the NAT device. The client would send an encrypted
    >>>> string that the server would know how to respond to. If this encrypted
    >>>> value is not what the server expected, no communication would take
    >>>> place.
    >>>
    >>> Most client/server apps more typically will require you to either
    >>> manually configure the NAT firewall so that it will work, or know how
    >>> the
    >>> NAT is configured and manually configure the client and server so it
    >>> will
    >>> work. Most client/server apps also more typically have a standard port
    >>> number for the server that is recommended to be configured as a static
    >>> port number in NAT.
    >>>
    >>> How is the NAT set up?

    >>
    >> I will not know. Neither may the server operator. Think of it as a P2P
    >> app using UDP behind NATs.
    >>
    >>>Are you sure the server's port will change to an unknown value during the
    >>>NAT?

    >>
    >> I don't want the end user to have to configure firewalls or NATs. I want
    >> this to be as simple as possible for them.
    >>
    >> Being behind a NAT (and not setting up any manual port forwarding) means
    >> that the NAT will choose an unused port at random for outbound UDP
    >> connections (just like it does for HTTP connections when you surf the
    >> web).

    >
    > Correct...
    >
    >> So, the external port for the server will be unknown.

    >
    > It will be dynamic...
    >
    >>>How is it that the NAT port being used is not already known?

    >>
    >> See above.
    >>
    >>>I would expect the client's source port to change dynamically, but the
    >>>server's destination port to be known by whoever configured the NAT.

    >>
    >> I am really trying to make this as simple as possible by not requiring
    >> the
    >> end users to set ports in their NAT or Firewall. Also, some people may
    >> want to use the software but not have access to the NAT or Firewall to
    >> make manual changes.

    >
    >
    > Honestly, I think you will need a server in the middle. For example,
    > Client-A connects Internet-Server-A then Client-B connects to
    > Internet-Server-A, Next, they can use the Internet-Server-A as a kind of
    > packet proxy (for lack of a better techie word)...
    >
    > This would allow you to not force any users to reconfigure their NAT
    > Routers, etc and would be seemless...
    >
    >
    > Just a thought...
    >
    >
    > Imhotep
     
    smerf, Oct 4, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom
    Replies:
    2
    Views:
    5,377
  2. Luc

    How do I react on a posted article?

    Luc, Sep 17, 2003, in forum: Computer Support
    Replies:
    8
    Views:
    583
    Barry OGrady
    Sep 20, 2003
  3. James Drake

    Sick of port scans

    James Drake, Apr 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    465
    -= Hawk =-
    Apr 12, 2004
  4. Daniel Damlin

    scans on port 1910, why?

    Daniel Damlin, Jan 27, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    493
    Daniel Damlin
    Jan 27, 2004
  5. Steve-O

    Port 1840 Scans

    Steve-O, Mar 2, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    1,368
    David Norris
    Mar 2, 2004
Loading...

Share This Page