The purpose of this article is to provide guidance for how to reduce the User Datagram Protocol (UDP) amplification attack surface. This article includes the following information:
- Overview of UDP and UDP amplification attacks.
- How to configure an Azure Network Security Group (NSG) for least privilege internet access for ports and protocols.
- How to configure services to remove the UDP amplification attack surface if the port is required for Recursive Domain Name Service (DNS) or Network Time Protocol (NTP) servers.
- How to run an Nmap scan for verification of the NSG configuration.
Users should follow the guidance in this article to close inbound UDP connections to reduce the attack surface.
User Datagram Protocol (UDP) is a connection-less protocol. When UDP is allowed inbound access to your Azure cloud services, it creates an attack surface that can be used for a distributed reflective denial-of-service (DRDoS) against virtual machines (VMs). The UDP-based amplification attack is a form of a distributed denial-of-service (DDoS) attack that relies on publicly accessible UDP services and bandwidth amplification factors (BAFs) to overwhelm a victim’s system with UDP traffic.
Note By default, if you have created an NSG, the configuration closes all ports, including UDP. Additionally, Azure has DDOS protection on the platform level. Therefore, users can also add DDOS on their service layer.
To learn more about this kind of attack, see https://www.us-cert.gov/ncas/alerts/TA14-017A.
The following common ports are often used as part of these UDP reflection attacks: 17 (QOTD), 19 (CharGEN), 53 (DNS), 69 (TFTP), 123(NTP), 161 (SNMP), 389 (CLDAP), 1900 (SSDP), 9987 (DSM/SCM Target Interface), 11211 (Memcached). Users should assess whether they must publicly expose these ports to the internet, and then close all UDP ports that are not absolutely necessary. In particular, users who have to have inbound UDP for port 53 (DNS) or port 123 (NTP) should have the vulnerable configurations (as listed in this article) removed. This is because these two ports are used extensively for this type of attack.
Recursive DNS open to the public internet
Enabled Open query and monlist commands
The following steps help mitigate the effect of the attack on UDP:
- Evaluate the need for which services have to be exposed to the internet, determine which inbound UDP ports are absolutely necessary for correct service operation, and close all non-essential UDP ports.
Users who must have the UDP ports be open can refer to specific sections of this article for recommendations that are related to NTP and DNS listening on UDP ports. For all other ports, follow the UDP Ports to close section.
Check for open UDP ports to the internet
Users should verify that services are configured to disallow the UDP inbound connections by reviewing their NSG rules, following the guidance that is found in How to Manage NSGs. Users can also run an external Nmap scan to verify that UDP ports are closed correctly.
Steps to complete an Nmap scan
Users should scan only within their own IP address ranges to make sure that other users are not affected by following the Penetration Testing Rule of Engagement and also to make sure that the scan complies with the Microsoft Online Service Terms.
Examples of Nmap scans
If you plan to automate the scanning process by using the commands in these examples, be aware that UDP scans can take a long time to run because the scanner must sometimes wait to detect whether traffic is returned (this is not guaranteed). For best performance, create a scan for each port.
Additionally, run the following scripts to check whether the services on Ports 53, 123, and 389 are misconfigured.
For Linux users, each command must be proceeded by sudo.