How does a UDP scan (-sU) operate and why are UDP results often incomplete compared to TCP scans?

• A. -sU sends TCP probes to UDP ports and interprets responses.
• B. -sU sends UDP probes to target UDP ports and interprets responses or ICMP port-unreachable messages; many UDP services don’t reply, and firewalls drop UDP traffic, leading to many ports appearing as open|filtered or unknown.
• C. -sU uses ICMP pings exclusively.
• D. -sU only scans the 100 most common UDP ports.

Answer: (B)

UDP scans work by sending UDP packets to target ports and waiting for a reply. Because UDP is connectionless, there’s no handshake like TCP, so there isn’t a standard “opened” response to confirm a port is listening. Nmap determines state from whatever it can observe: a UDP response from a running service can indicate open, an ICMP port-unreachable message usually means the port is closed, and no response often means the port is filtered or simply silent. Many UDP services don’t reply to unsolicited probes, and many networks drop or rate-limit UDP traffic and ICMP messages. As a result, a large portion of UDP probes yield no definitive answer, causing ports to appear as open|filtered or unknown. This makes UDP scan results frequently incomplete compared with TCP scans, where the handshake provides clearer and more consistent signals about port state.