User Datagram Protocol (UDP)
UDP is the polar opposite of TCP. Whereas TCP is connection oriented, reliable, and
relatively complex, UDP is a connectionless, unreliable, and a relatively simple protocol.
The initial response might be to ask, "Why use an unreliable protocol?" To understand
this, you need to have the proper perspective of what we mean by unreliable.
Unreliable does not mean that it will not work or that the data will not get delivered.
Indeed, when using unreliable protocols such as UDP, it is generally a safe bet that the
data will be successfully delivered. Why? Because most networks today are designed to
eliminate things such as latency and packet loss, thus ensuring that data gets delivered
regardless of what protocol is used. Consequently, UDP was developed in large part to
provide a simple, low-overhead method of delivering data across the network. Yes, UDP
messages can be lost, duplicated, or sent out of order, but in most cases on most
networks, they will not be.
The reason that UDP is low overhead is because two UDP hosts do not establish a session
prior to transmitting data, and they do not periodically check to verify that the data was
received as is done with TCP. This makes UDP an excellent choice for the transmission
of small bursts of data or the transmission of data that handles reliability at the
application layer. Some common applications that make use of this are things such as
DNS, TFTP, and SNMP. Like TCP, UDP uses port numbers to identify the higher-layer
application or protocol from which the data came and for which it is destined. These port
numbers are assigned and maintained by IANA, which provides a full list of registered
port numbers at http://www.iana.org/assignments/port-numbers.
RFC 0768 defines UDP.
UDP Message Structure
Because of the simplicity of the design of UDP, the UDP segment structure is much
simpler than the TCP segment structure. The UDP message contains two components: the
UDP header and the UDP data. The UDP header is merely 8 bytes in length, again
providing less overhead and thus more space for data than TCP (with its 20-byte header).
UDP Datagram Header
As shown in Figure 3-10, the UDP header is pretty simple and straightforward,
containing the minimum required amount of information to allow for the delivery of data.
Figure 3-10. UDP Header Structure
[View full size image]
The UDP header contains two 32-bit words with the following fields and meanings:
• Source Port (16 bits) This field represents the source protocol or application. This
allows the source to know which application the data belongs to so that responses
can be delivered to the appropriate source application. In most cases, the source
port is a random high-level port number (>1024) generated by the application.
• Destination Port (16 bits) This field represents the destination protocol or
application on the target host. This allows the destination to properly route the data
to the appropriate higher-layer application or protocol. In most cases, the
destination port is a defined (and in some cases well known) port number that is
associated with the protocol or application in question.
• Length (16 bits) This field represents the length of the datagram in bytes,
including the header and the data, and therefore has a minimum value of 8 (the
length of the header).
• Checksum (16 bits) This field is optional and if used represents a simple method to
allow the destination to know that the full datagram was received. If not used, the
value is 0.
UDP is such a simple protocol that there is not a whole lot that can be done with the
protocol itself to account for "bad" UDP traffic. UDP is particularly effective as a source
of "bad" traffic because it is connectionless. Therefore, it is a great candidate for
spoofing. Malicious users can generate traffic as a different host, and because UDP is
connectionless and responses are not expected, they do not really care that the targeted
host is sending the responses to the wrong host.
UDP is also a great candidate for flooding a network, in particular by flooding the
network with malformed data or with UDP packets that contain no data whatsoever. One
of the more effective methods of doing this is to flood the broadcast address of a network
with UDP traffic, forcing all hosts to have to deal with and potentially respond to the
traffic, thus creating an exponential amount of traffic from a single malicious datagram.
These processes are referred to as denial-of-service (DoS) attacks.