Czesc Tomku, > I can see that UDP ports looks always opened and opened tcp ports also > looks opened regardless of what tricks with unclean you use, closed > DENYed ports looks filtered. It is obvious, because nmap does not send 'unclean' udp packets. They are totally fine.
I belive there would be only one reason to send 'unclean' udp packets and that would be to map a network behind a non rfc1318 compliant router. For example if you would use isic, or some other software that is capable of sending UDP packets with malformed cheksums, a router that does not do any checks on the packets passed from one interface to the other, would allow us to reveal all the hosts that are currently up, because, destination hosts would have to reply with icmp parameter problem. If i am not mistaken Guillame Morin's Unclean match, matches bad TCP flags, various checksums of TCP/UDP/ICMP/IP traffic, header lengths, and so on. The best way to handle UDP traffic would be to block it as soon as possible on all ports without, say 53 and 123 (if you use ntp) Currently every good firewall blocks udp completely or almost completely (allowing udp to DNS only), and that makes UDP Scans virtually useless. Anyway if you scan something and it shows you that all ports are open, what does that aid you in hacking a system? It only supresses the famoues: Denial of Administrator, who wastes his time on browsing the logs. Best regards. Maciej Soltysiak. hehe, wlasnie wybralem II filar :)
