A variety of well-established services rely on communication through UDP. The Simple Network Management Protocol (SNMP) sends its alarms through UDP, the Routing Information Protocol (RIP) exchanges routing information through UDP, and the Domain Name Service (DNS) transports its simple request with UDP.

UDP is perfectly suited for malicious activity and hiding the identity of the attacker through IP address spoofing because it is connectionless.

As shown in Figure 21-1, the UDP header confirms the simplicity (and elegance) of this protocol. Though it contains only source and destination ports, the same rules apply for source and destination ports for UDP as for TCP. The source ports typically are randomly generated. If traffic analysis therefore finds them to be identical, a packet-crafting tool can be suspected to have generated these packets for some possibly malicious activity. Destination ports are either well known or reserved, but they can also have malicious activity hiding behind an innocent-looking communication.

The length of the packet is contained in the UDP length field, and a checksum ensures a level of integrity of the data.

See Also: Domain Name Service (DNS); Internet; Port and Port Numbers; Routing Information Protocol (RIP); Simple Network Management Protocol (SMTP); Spoofing.