UDP packets enigma

Pees290Pees290 Junior MemberRegistered Users Posts: 2 ■□□□□□□□□□
Hi all,

Maybe someone would be so kind and enlighten me a bit.
What's the mechanism that allows to pass the UDP packets from internet through the router to local computer without port redirecting ?
I am thinking now about those online games, that are using UDP packets to synchronise game action.
For example Team Fortress 2, it gets UDP packages from the game engine server, and there is no port redirected on the router.
Also the UDP is a connectonless protocol, so there is no session that could be initialized from the computer inside the network.
My knowledge about insights of a router algorithms is pretty poor, but I am wondering about the security issues here.
I would appreciate any info about it.



  • docricedocrice Random Member Member Posts: 1,706 ■■■■■■■■■■
    UDP has less traffic overhead due to the header being only 8 bytes (versus TCP's 20+ bytes) and lack of reliability / transport-layer session maintenance built into the protocol. It's a fire-and-forget system, although at the app layer there may be retry timers and the like. This does make it prone / easier to perform interception or spoofing of the communication if you're concerned with the security aspects of it.

    I'm a little unsure why you would think that port redirection is required in general. TCP traffic doesn't get port redirected between router hops either (unless there's an intentional configuration on a firewall or router to perform port redirection).
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Pees290Pees290 Junior Member Registered Users Posts: 2 ■□□□□□□□□□
    If I want to connect to TCP listening socket on some computer behind a router, I have to redirect ports.
    This way the incoming connection goes to correct computer.
    Port redirections is also for UDP ports, if I have listening sockets on a computer in my local network.
    However the game engine server somehow sends UDP packets to my computer and those packets go through the router without port redirection.
    My question is how those packets go through the router, and how the router determines to which computer to send this packet ?

  • YFZbluYFZblu Senior Member Member Posts: 1,462 ■■■■■■■■□□
    I may be off base here, but I think what you're looking for is Stateful Packet Inspection. First we need to start off by saying with modern routers, connections initiated from the outside and going to the inside of your private network are generally denied. There are exceptions, but let's stick with that basic definition for now.

    When you send packets out onto the internet, your router basically remembers all of the details of your packet - Source/Dest IP addresses, source/dest port numbers, etc. This information is stored in a stateful database. Additionally, the router dyanmically anticipates what the return traffic will look like. It will essentially be looking for return traffic that is a mirror image of the outgoing traffic you sent earlier. If the gaming server replies, and that return traffic matches what your router is looking for, the router will allow the traffic and forward it out the interface attached to your computer; because it has been keeping track of your connection to the gaming server all along, with the help of NAT.

    But the traffic being UDP or TCP does not affect this process. I believe the only reason your gaming server would be using UDP is because real-time communications would not benefit from the error-recovery TCP provides, and like docrice said it features less overhead as a result. Also, I don't perform port forwarding at home, but my understanding is port forwarding is really for when you have initiated a connection from the outside and need to poke a hole in your routers firewall to allow that traffic to a specific computer. But when going in-to-out, and requiring a response, stateful packet inspection does the work for you.

    In short, there are two things making this happen: Stateful Packet Inspection, and NAT.
Sign In or Register to comment.