Discovering SCTP and UDPLITE services
In recent days we’ve added full SCTP and UDPLITE scanning to scarlet, and clients are already finding exposed services that they didn’t know they had.
The journey to get the technology working has been an interesting one though. Although the standards for both SCTP [1] or UDPLITE [2] are not particularly new, the support in many of the security tools is disabled by default, or a little patchy, as is support within the different cloud vendors.
Which is a bit worrying, as new technologies (like streaming voice and video over datagrams) are leaning toward these protocols due to the increased efficiencies they offer over the more familiar TCP and UDP approaches.
As examples of potential issues, both protocols implement the concept of ports, just like TCP and UDP, but most of the cloud platforms’ native security groups only blanket-allow the protocol through, or block it: no granularity as to the ports enabled. Additionally, for UDPLITE in particular, the cloud NAT isn’t always protocol-aware, so breaks the checksums on the packets as they remap the addresses between private and public. So, to get things working, you may also have implementations in the field where the engineers have disabled checksums, just to get it working.
Anyway, if you are looking to get your attack surface under control, you know where to come.