Because UDP is stateless, the stack cannot differentiate between a client port and a server port. A scanner that is sending messages to many ephemeral ports looks similar to a DNS server that is sending replies to many clients on ephemeral ports. You can specify the RESERVED keyword on the PORT or PORTRANGE statement in the TCP/IP profile to prohibit the use of a UDP port. Any datagram that is received for a prohibited port is treated as a very suspicious event. Any datagram that is received for a port that is not prohibited but is unbound is treated as a possibly suspicious event, and any datagram received for a bound port is treated as a normal event. You can also limit event generation to specific port ranges and destination addresses. UDP port scans apply to IPv4 and IPv6 packets. Events are classified by the first matching entry in Table 1:
Socket state | Event | Event classification |
---|---|---|
Any state | Receive any packet that is denied by IP security filtering | Possibly suspicious |
Use prohibited by RESERVED keyword | Receive any packet | Very suspicious |
Unbound, use not prohibited | Receive any packet | Possibly suspicious; application could be temporarily down |
Bound | Receive any packet | Normal |