Understanding Ports and Protocols: UDP vs TCP
The differences between TCP and UDP, when each is used, and the security implications of each protocol.
Continue your mission
The differences between TCP and UDP, when each is used, and the security implications of each protocol.
# Understanding Ports and Protocols: UDP vs TCP
Every packet that travels across a network carries two pieces of information that determine how it is delivered: a port number and a protocol identifier. The protocol is either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol), and the distinction between them shapes nearly every security decision a practitioner makes about traffic filtering, monitoring, and incident response. These protocols exist because different applications have different delivery requirements. A file transfer cannot afford to lose data silently. A video stream cannot afford to wait for retransmission. TCP and UDP solve these competing requirements differently, and attackers know exactly which protocol characteristics to exploit. Understanding both is not optional background knowledge; it is operational prerequisite for anyone defending a network.
---
TCP and UDP are Layer 4 (Transport Layer) protocols in the OSI model. They operate above IP (Internet Protocol) and below application-layer protocols such as HTTP, DNS, and SMTP. Both protocols use port numbers to direct traffic to specific services on a host. Port numbers range from 0 to 65,535, divided into three ranges: well-known ports (0 to 1023), registered ports (1024 to 49151), and dynamic or ephemeral ports (49152 to 65535).
TCP is a connection-oriented protocol. Before any data is exchanged, TCP establishes a session through a three-way handshake (SYN, SYN-ACK, ACK). It guarantees delivery through acknowledgment numbers, retransmits lost packets, and ensures data arrives in order. TCP is stateful: both endpoints track the connection state throughout its lifetime.
UDP is a connectionless protocol. It sends datagrams without establishing a session, without acknowledgment, and without guaranteed ordering. UDP is stateless from a protocol perspective, though stateful firewalls can track UDP flows heuristically.
What these protocols are NOT: they are not encryption mechanisms. Neither TCP nor UDP provides confidentiality or integrity by default. They are not application-layer protocols, although they are often confused with the services that run on top of them. Port 443 is not "HTTPS"; it is a TCP port commonly assigned to HTTPS traffic. The port number is a label, not a guarantee of content.
Variants and subtypes to note include QUIC (Quick UDP Internet Connections), which Google developed as a UDP-based transport that implements reliability and security at the application layer, and SCTP (Stream Control Transmission Protocol), which is a lesser-known alternative that shares characteristics of both TCP and UDP. These variants matter in modern environments because they create monitoring blind spots when teams focus exclusively on traditional TCP and UDP traffic.
---
TCP: The Reliable Connection
TCP establishes a connection through the three-way handshake. The client sends a SYN (synchronize) packet to the server. The server responds with a SYN-ACK (synchronize-acknowledge). The client sends an ACK (acknowledge), and the connection is established. Data transfer begins only after this handshake completes.
During the session, every segment sent by one side must be acknowledged by the other. If an acknowledgment does not arrive within a timeout period, the sender retransmits the segment. TCP also implements flow control through window sizing (the receiver advertises how much buffer space it has) and congestion control to avoid overwhelming network links. When the session ends, TCP closes through a four-way FIN/FIN-ACK/FIN/FIN-ACK sequence, or via RST (reset) if one side terminates abruptly.
Security implications of TCP mechanics are significant. The SYN handshake creates an opportunity for SYN flood attacks, where an attacker sends large volumes of SYN packets without completing handshakes, exhausting the server's connection table. Mitigation typically involves SYN cookies, which allow the server to avoid allocating state until the handshake completes. TCP session hijacking exploits the predictability of sequence numbers; if an attacker can guess or observe sequence numbers, they can inject packets into an existing session. Modern TCP implementations use randomized initial sequence numbers (ISN) to reduce this risk.
UDP: The Fast Datagram
UDP sends packets with a source port, destination port, length, checksum, and payload. That is the entire header structure. There is no handshake, no session state, no retransmission, no ordering guarantee. The application receiving UDP data must handle any reliability requirements itself.
Common UDP services and their port assignments:
Because UDP has no connection establishment, it is faster and carries less overhead. It is also far more difficult to filter intelligently. A firewall cannot rely on connection state to determine whether inbound UDP traffic is legitimate; it must use heuristics, rate limiting, or application-layer inspection.
Security Scenario: DNS Amplification Attack
DNS runs on UDP port 53. An attacker sends DNS queries to public resolvers with a spoofed source IP address set to the victim's IP. The resolver sends its response (which can be many times larger than the query) to the victim. This is a UDP amplification attack, possible because UDP requires no handshake and the source address can be forged without the server detecting the spoofing.
A typical DNS amplification attack achieves amplification factors of 28 to 54 times, meaning each byte the attacker sends results in 28 to 54 bytes delivered to the victim. Defenders mitigate this through BCP38 (network ingress filtering to block spoofed source addresses at the network edge), rate limiting on DNS resolvers, and response rate limiting (RRL) configurations on authoritative nameservers.
Port Filtering and Firewall Rules
Implementing port and protocol controls requires deliberate rule design. A stateful firewall tracks TCP connection state and can permit return traffic automatically for established connections. For UDP, stateful inspection is approximated: the firewall records outbound UDP flows and permits return traffic to the source port within a short time window.
Configuration consideration: default-deny posture means all ports are blocked unless explicitly permitted. Teams must inventory which services require which ports and protocols, document that inventory, and review it periodically. Undocumented open ports are a common finding in penetration tests and represent exactly the kind of hygiene failure that attackers scan for during reconnaissance.
---
Network protocols are the foundation of every attack and every defense. When a practitioner cannot distinguish TCP behavior from UDP behavior, they cannot accurately analyze packet captures, write effective firewall rules, or interpret IDS/IPS alerts. They cannot identify whether a scan is a full connect scan (TCP three-way handshake), a SYN scan (half-open), or a UDP scan. This knowledge gap creates blind spots that attackers actively seek.
What Goes Wrong Without It
Organizations that treat port and protocol management as a checkbox exercise rather than an active control consistently experience the same categories of failure. Unrestricted outbound UDP allows DNS tunneling, a technique where attackers encode exfiltration data inside DNS queries and responses. Because DNS is almost universally permitted outbound, data leaves the network in a protocol that most teams do not inspect deeply. The Cobalt Strike and DNSCat2 toolsets both implement DNS tunneling, and detections require understanding exactly how DNS over UDP behaves normally so that anomalies are recognizable.
Unrestricted inbound UDP enables amplification attacks and allows SNMP (port 161) to expose device configurations if not filtered at the perimeter. TCP mismanagement leads to exposed management interfaces: RDP on port 3389, SSH on port 22, and database ports like 1433 (MSSQL) and 3306 (MySQL) exposed to the internet are among the most commonly exploited entry points in breach investigations.
Real-World Consequence
The 2016 Mirai botnet attacks demonstrated the consequence of neglecting UDP-based protocols at scale. Mirai compromised IoT devices and directed them to flood targets with UDP traffic across multiple ports. The attack against Dyn, a major DNS provider, disrupted services for Amazon, Netflix, Twitter, Reddit, and dozens of other platforms for much of October 21, 2016. The attack succeeded partly because UDP's connectionless nature makes volumetric floods trivially simple to generate and difficult to filter without impacting legitimate traffic.
Common Misconception
A persistent misconception is that closing a port eliminates risk associated with that service. Port numbers are advisory, not enforced. An attacker who controls both endpoints can run any service on any port. Blocking port 80 does not prevent HTTP if an attacker runs their command-and-control server on port 8080 or 443. Protocol filtering at the port level must be paired with application-layer inspection to be effective.
---
CDA approaches ports and protocols through the Systematic Posture and Hygiene (SPH) domain of the Planetary Defense Model. SPH recognizes that hygiene failures, including uncontrolled open ports, default-enabled services, and undocumented protocol flows, are not minor oversights. They are the gaps through which the majority of successful intrusions begin.
Under the Autonomous Posture Command (APC) methodology, the governing principle is direct: "Your posture adapts. Your hygiene never sleeps." In practice, this means that port and protocol management is not a quarterly audit activity. It is a continuous operational function. APC operationalizes this through three interconnected requirements.
First, inventory completeness. Every port and protocol permitted on every network segment must be documented, attributed to a business or technical function, and owned by a named team. Ports that cannot be attributed are treated as unauthorized and closed by default.
Second, automated posture detection. Rather than relying on manual review, APC-aligned environments use continuous scanning (internal and external) to detect deviations from the approved port baseline. When a new port appears on a host, an alert fires immediately. This is not a monthly vulnerability scan finding; it is a real-time posture signal.
Third, protocol-aware filtering. SPH distinguishes between port filtering and protocol filtering. A firewall rule permitting UDP port 53 outbound is not the same as a rule that inspects DNS content for tunneling indicators. APC methodology requires that high-risk protocols, specifically DNS, ICMP, and HTTP/HTTPS, receive application-layer inspection rather than pass-through port filtering.
What CDA does differently is treat protocol knowledge as a prerequisite for posture work, not an advanced specialization. Practitioners working in SPH-aligned programs are expected to understand TCP state machines and UDP datagram behavior as foundational literacy, because without it, posture decisions are made on incomplete information. The APC framework does not permit "close enough" on hygiene.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.