As a Network Security Analyst, you are monitoring a segment of the DMZ containing public-facing DNS and VPN servers. The border firewall's connection state table is filling up rapidly, but the IPS has not triggered any signature-based alerts for known exploits. You suspect a reconnaissance phase is underway. You capture a sample of the network traffic to perform manual packet analysis and identify the nature of the anomalous traffic.
You open the captured PCAP file in Wireshark and observe the following traffic pattern occurring rapidly over a span of milliseconds:
[Packet Capture Snippet - DMZ Interface] No. Time Source Destination Protocol Length Info 101 12.0010 192.168.1.50 10.0.50.100 UDP 60 62312 → 53 Len=18 102 12.0015 192.168.1.50 10.0.50.100 UDP 60 62312 → 161 Len=18 103 12.0018 10.0.50.100 192.168.1.50 ICMP 88 Destination unreachable (Port unreachable) 104 12.0022 192.168.1.50 10.0.50.100 UDP 60 62312 → 500 Len=18 105 12.0028 10.0.50.100 192.168.1.50 ICMP 88 Destination unreachable (Port unreachable)
Which of the following filters can be used to detect UDP scan attempts using Wireshark?
An external host (192.168.1.50) is systematically sending rapid UDP packets to various ports (53, 161, 500) on your DMZ server (10.0.50.100). The target server is responding with ICMP error messages for the ports that are not actively listening.
This behavior is indicative of a UDP Port Scan (such as an Nmap -sU scan). The attacker is attempting to map out listening UDP services to find potential attack vectors.
C (icmp.type==3 and icmp.code==3): Because UDP is a connectionless protocol, open ports often do not respond to probes. However, by RFC standards, if a UDP packet hits a closed port, the target machine's operating system will reply with an ICMP Type 3 (Destination Unreachable) and Code 3 (Port Unreachable) error message. A high volume of these specific outbound ICMP errors is the most reliable signature of an inbound UDP scan.
A is incorrect because Type 8 (Echo Request) and Type 0 (Echo Reply) are used for Ping Sweeps (host discovery), not port scanning. B is incorrect because Type 15 is an obsolete Information Request. D is incorrect because Type 13 is a Timestamp Request, occasionally used for reconnaissance, but not for port state determination.
To mitigate this activity, network defenders should configure rate-limiting on the firewall for outbound ICMP Destination Unreachable messages. This will drastically slow down the attacker's scan and prevent the firewall's state table from being exhausted. Additionally, tune the IDS/IPS to trigger alerts when the threshold of outbound ICMP Type 3 Code 3 packets exceeds normal baseline operations.