UDP Protocol
UDP Protocols
- Purpose
- UDP (User Datagram Protocol) is one of the two main transport protocols in the TCP/IP suite, alongside TCP.
- It provides a simple, fast way to send data over networks without establishing a connection or tracking session state.
- Understanding how UDP behaves helps identify when it is used, how it differs from TCP, and what it means when analyzing or generating traffic.
1. Key Characteristics of UDP
UDP is a connectionless and stateless protocol. This means that data is sent without checking if the receiver is ready or even available.
| Characteristic | Description |
|---|---|
| No connection setup | UDP sends data without establishing a session (no SYN/ACK handshake) |
| No delivery guarantees | Packets may be lost, duplicated, or arrive out of order |
| No retransmissions | Lost packets are not resent |
| Minimal overhead | The header is only 8 bytes long |
| Stateless | Sender and receiver do not store any session information |
These traits make UDP faster and more lightweight than TCP, but also less reliable.
2. Use Cases Where UDP is Preferred
UDP is ideal in scenarios where:
- Speed is more important than reliability
- The application can handle occasional data loss
- Low latency is critical
| Example Use Case | Protocol / Port | Why UDP is Suitable |
|---|---|---|
| Domain name lookups | DNS / 53 | Fast, small queries with retry logic handled by client |
| Voice calls | SIP / 5060, RTP | Prioritizes real-time delivery over perfect reliability |
| Live video | RTSP, custom UDP streams | Skipping frames is better than stalling |
| Online gaming | Varies | Low latency is more important than perfect accuracy |
| Time synchronization | NTP / 123 | Delays are more harmful than packet loss |
| Lightweight monitoring | SNMP / 161 | Periodic data, not mission-critical |
| Bootstrapping devices | TFTP / 69 | Simple protocol for controlled environments |
3. UDP Header Structure
UDP headers are very small and contain only essential fields:
| Field | Size (bits) | Description |
|---|---|---|
| Source Port | 16 | Port used by the sending application |
| Destination Port | 16 | Port on the receiving machine for the intended service |
| Length | 16 | Total size of the UDP packet (header + data) |
| Checksum | 16 | Error check value (optional in IPv4, mandatory in IPv6) |
There are no sequence numbers, acknowledgments, or flow control mechanisms.
4. Comparison: UDP vs TCP
| Feature | UDP | TCP |
|---|---|---|
| Connection Setup | None | Requires 3-way handshake |
| Reliability | No guarantees | Guaranteed delivery and order |
| Overhead | Very low (8 bytes) | Higher (20+ bytes) |
| Packet Order | Not ensured | Ordered |
| Retransmissions | No | Yes |
| Flow/Congestion Control | None | Built-in |
| Use Case Focus | Speed, simplicity | Accuracy, reliability |
5. UDP in Network Scanning and Analysis
UDP behavior differs from TCP during scanning:
- When scanning a closed UDP port
- The system may reply with an ICMP "Port Unreachable" message (Type 3, Code 3).
- When scanning an open UDP port
- Typically no response is returned, which forces scanners to rely on timeouts.
- Tools commonly used
- `nmap -sU` — performs UDP port scans
- `netcat -u` — sends custom UDP packets
- `hping3 --udp` — crafts and sends raw UDP traffic
- `Wireshark` — captures and decodes UDP-based traffic
6. Application Layer Protocols Built on UDP
Many higher-layer protocols are designed specifically for UDP, often with their own retry or recovery mechanisms:
| Protocol | Port(s) | Description |
|---|---|---|
| DNS | 53 | Resolves hostnames to IP addresses |
| DHCP | 67/68 | Assigns IP addresses dynamically |
| TFTP | 69 | Basic file transfer used in controlled environments |
| NTP | 123 | Time synchronization |
| SNMP | 161/162 | Monitoring of networked devices |
| RTP | Varies | Real-time media delivery |
| SIP | 5060 | VoIP signaling |
| IKE | 500 | IPsec key exchange |
| Syslog | 514 | Logging from devices over UDP |
7. Limitations and Risks
UDP is powerful due to its simplicity, but comes with trade-offs:
- No reliability
- Applications must handle their own error checking and retransmission if needed.
- Vulnerable to spoofing
- Without handshakes or state tracking, it's easier to spoof UDP packets.
- Used in amplification attacks
- Some UDP services respond with more data than they receive (e.g., DNS), making them targets for DDoS amplification.