How to disable inbound UDP for Azure services

Applies to: Virtual Network

Introduction


The purpose of this article is to provide guidance for how to reduce the User Datagram Protocol (UDP) amplification attack surface. This article includes the following information:

  • Overview of UDP and UDP amplification attacks.
  • How to configure an Azure Network Security Group (NSG) for least privilege internet access for ports and protocols.
  • How to configure services to remove the UDP amplification attack surface if the port is required for Recursive Domain Name Service (DNS) or Network Time Protocol (NTP) servers.
  • How to run an Nmap scan for verification of the NSG configuration.

Users should follow the guidance in this article to close inbound UDP connections to reduce the attack surface.

Summary


User Datagram Protocol (UDP) is a connection-less protocol. When UDP is allowed inbound access to your Azure cloud services, it creates an attack surface that can be used for a distributed reflective denial-of-service (DRDoS) against virtual machines (VMs). The UDP-based amplification attack is a form of a distributed denial-of-service (DDoS) attack that relies on publicly accessible UDP services and bandwidth amplification factors (BAFs) to overwhelm a victim’s system with UDP traffic.

Note By default, if you have created an NSG, the configuration closes all ports, including UDP. Additionally, Azure has DDOS protection on the platform level. Therefore, users can also add DDOS on their service layer.

To learn more about this kind of attack, see https://www.us-cert.gov/ncas/alerts/TA14-017A.

The UDP-based amplification attack is a form of a distributed denial-of-service (DDoS) attack

The following common ports are often used as part of these UDP reflection attacks: 17 (QOTD), 19 (CharGEN), 53 (DNS), 69 (TFTP), 123(NTP), 161 (SNMP), 389 (CLDAP), 1900 (SSDP), 9987 (DSM/SCM Target Interface), 11211 (Memcached). Users should assess whether they must publicly expose these ports to the internet, and then close all UDP ports that are not absolutely necessary. In particular, users who have to have inbound UDP for port 53 (DNS) or port 123 (NTP) should have the vulnerable configurations (as listed in this article) removed. This is because these two ports are used extensively for this type of attack.

Protocol

UDP port

Vulnerable configuration

DNS

53

Recursive DNS open to the public internet

NTP

123

Enabled Open query and monlist commands

Recommended action


The following steps help mitigate the effect of the attack on UDP:

  1. Evaluate the need for which services have to be exposed to the internet, determine which inbound UDP ports are absolutely necessary for correct service operation, and close all non-essential UDP ports.
  2. Users who must have the UDP ports be open can refer to specific sections of this article for recommendations that are related to NTP and DNS listening on UDP ports. For all other ports, follow the UDP Ports to close section.

Check for open UDP ports to the internet


Users should verify that services are configured to disallow the UDP inbound connections by reviewing their NSG rules, following the guidance that is found in How to Manage NSGs. Users can also run an external Nmap scan to verify that UDP ports are closed correctly.

Steps to complete an Nmap scan

Examples of Nmap scans

Additionally, run the following scripts to check whether the services on Ports 53, 123, and 389 are misconfigured.

For Linux users, each command must be proceeded by sudo.