UDP is another widely used transport layer protocol. There are many UDP-based attacks, so a security analyst should have a good understanding of how UDP is intended to function and what a normal UDP datagram looks like. The security analyst must know what a normal UDP datagram looks like in order to recognize an abnormal UDP datagram that might contain hidden threats.
The security analyst should also understand the differences between TCP and UDP and hence recognize when one protocol or the other is appropriate when analyzing network communications.
UDP has the following characteristics:
- UDP operates at Layer 4 (the transport layer) of the OSI reference model.
- UDP = IP protocol number 17.
- UDP provides applications with efficient access to the network layer without the overhead of reliability mechanisms.
- Like IP, UDP is a connectionless protocol in which a one-way datagram is sent to a destination without advance notification to the destination device.
- UDP is capable of performing a very limited form of error checking. The UDP datagram includes an optional checksum value, which the receiving device can use to test the integrity of the data. In addition, the UDP datagram includes a pseudoheader. This pseudoheader includes the destination address. If the receiving device sees that the datagram is directed to an inactive port, it returns a message that the port is unreachable.
- UDP provides service on a best-effort basis and does not guarantee data delivery, because packets can be misdirected, duplicated, corrupted, or lost on the way to their destination.
- UDP does not provide any special features that recover lost or corrupted packets. These services, if they are required, are provided by the application layer process that uses UDP.
Using the UDP protocol services is analogous to using a postal service to send non-certified mail because it is not important if the mail is lost in transit or if a neighbor acknowledges receipt of the mail.
UDP delivers these applications, among others:
- TFTP:TFTP is a simple file transfer protocol. Most commonly, it is used to copy and install the operating system of a computer from the files that are located on a TFTP server. TFTP is a smaller application than FTP, and is typically used on networks for simple file transfer. TFTP contains its own error checking and sequencing number and, therefore, does not need reliability in the transport layer.
- SNMP: SNMPmonitors and manages networks, the devices that are connected to them, and network performance information. SNMP sends PDU messages that allow network management software to monitor and control devices on the network.
- DNS:DNS translates, or “resolves” human-readable names of IP end systems into machine-readable IP addresses, which are necessary for routing. DNS can use either UDP or TCP. For name resolution, it usually uses UDP, which can be faster than TCP because there is no need to establish a connection. For messages whose sizes exceed the DNS protocol’s limit and for operations to which reliable delivery is essential, DNS uses TCP.
- NTP: NTPis used to synchronize a computer to Internet time servers or other sources, such as a radio or satellite receivers or telephone modem services.
As illustrated in the figure, the length of a UDP header is always 64 bits.
A UDP header consists of these fields:
- Source port:Number of the calling port (16 bits)
- Destination port:Number of the called port (16 bits)
- Length:Length of UDP header and UDP data (16 bits)
- Checksum:Calculated checksum of the header and data fields (16 bits)