We have seen how private ports are assigned at the higher end and UDP
scans try to detect the state of the port by transmitting a zero byte
UDP packet to the target system and the concerned port. An open port
does not respond, while a closed port will reply with an ICMP HOST
UNREACHABLE response. Similar to inverse mapping, the absence of evidence
is considered as the evidence of presence. The disadvantage to the
attacker is that UDP is a connectionless protocol and unlike TCP does
not retransmit packets if they are lost or dropped on the network.
Moreover, it is easily detected and unreliable (false positives). Linux
kernels limit ICMP error message rates, with destination unreachable
set to 80 per 4 seconds, thereafter implementing a 1/4 second penalty
if the count is exceeded. This makes the scan slow and moreover the
scan requires root access. However, it avoids TCP based IDS and can
scan non-TCP ports.