Xem mẫu

  1. User Datagram Protocol (UDP) UDP is the polar opposite of TCP. Whereas TCP is connection oriented, reliable, and relatively complex, UDP is a connectionless, unreliable, and a relatively simple protocol. The initial response might be to ask, "Why use an unreliable protocol?" To understand this, you need to have the proper perspective of what we mean by unreliable. Unreliable does not mean that it will not work or that the data will not get delivered. Indeed, when using unreliable protocols such as UDP, it is generally a safe bet that the data will be successfully delivered. Why? Because most networks today are designed to eliminate things such as latency and packet loss, thus ensuring that data gets delivered regardless of what protocol is used. Consequently, UDP was developed in large part to provide a simple, low-overhead method of delivering data across the network. Yes, UDP messages can be lost, duplicated, or sent out of order, but in most cases on most networks, they will not be. The reason that UDP is low overhead is because two UDP hosts do not establish a session prior to transmitting data, and they do not periodically check to verify that the data was received as is done with TCP. This makes UDP an excellent choice for the transmission of small bursts of data or the transmission of data that handles reliability at the application layer. Some common applications that make use of this are things such as DNS, TFTP, and SNMP. Like TCP, UDP uses port numbers to identify the higher-layer application or protocol from which the data came and for which it is destined. These port numbers are assigned and maintained by IANA, which provides a full list of registered port numbers at http://www.iana.org/assignments/port-numbers. Note RFC 0768 defines UDP. UDP Message Structure Because of the simplicity of the design of UDP, the UDP segment structure is much simpler than the TCP segment structure. The UDP message contains two components: the UDP header and the UDP data. The UDP header is merely 8 bytes in length, again providing less overhead and thus more space for data than TCP (with its 20-byte header). UDP Datagram Header
  2. As shown in Figure 3-10, the UDP header is pretty simple and straightforward, containing the minimum required amount of information to allow for the delivery of data. Figure 3-10. UDP Header Structure [View full size image] The UDP header contains two 32-bit words with the following fields and meanings: • Source Port (16 bits) This field represents the source protocol or application. This allows the source to know which application the data belongs to so that responses can be delivered to the appropriate source application. In most cases, the source port is a random high-level port number (>1024) generated by the application. • Destination Port (16 bits) This field represents the destination protocol or application on the target host. This allows the destination to properly route the data to the appropriate higher-layer application or protocol. In most cases, the destination port is a defined (and in some cases well known) port number that is associated with the protocol or application in question. • Length (16 bits) This field represents the length of the datagram in bytes, including the header and the data, and therefore has a minimum value of 8 (the length of the header). • Checksum (16 bits) This field is optional and if used represents a simple method to allow the destination to know that the full datagram was received. If not used, the value is 0. Bad UDP UDP is such a simple protocol that there is not a whole lot that can be done with the protocol itself to account for "bad" UDP traffic. UDP is particularly effective as a source of "bad" traffic because it is connectionless. Therefore, it is a great candidate for spoofing. Malicious users can generate traffic as a different host, and because UDP is connectionless and responses are not expected, they do not really care that the targeted host is sending the responses to the wrong host. UDP is also a great candidate for flooding a network, in particular by flooding the network with malformed data or with UDP packets that contain no data whatsoever. One of the more effective methods of doing this is to flood the broadcast address of a network with UDP traffic, forcing all hosts to have to deal with and potentially respond to the
  3. traffic, thus creating an exponential amount of traffic from a single malicious datagram. These processes are referred to as denial-of-service (DoS) attacks.