Nmap UDP Scans (-sU)

• Scans generally slower and more difficult than TCP
• Sends empty (no data) UDP header to target ports
• ICMP response rate-limiting detection
• - Closed ports typically respond ICMP Port Unreachable
• - OS limits ICMP responses (Linux limits to 1/sec)
• - Nmap slows down to avoid wasting packets
• - 65,536-ports @ 1/sec > 18 hours for one host