Azure VM appears to operate a vulnerable UDP (LDAP) amplification service and participated in a DDoS attack

Question

Hi All,

I have received an email from Microsoft regarding one of the VM's in my Azure test environment:

Azure VM in your subscription appears to operate a vulnerable UDP (LDAP) amplification service and participated in a DDoS attack.

Please consider reconfiguring this server in one or more of these ways:

1. Disable vulnerable UDP amplification ports if not used.
2. Add firewall rules to allow connections from authorized endpoints but block connections from all other hosts.

Can someone please help me understand what ports should be blocked? I had ports 80 and 53 open and have blocked both.

Answer 1

Hi, 

If you are not using UDP ports, try adding a rule to block all UDP ports for security measures. If you are using any specific UDP ports, add a new rule with higher priority to allow those specific ports. 

Regards, 

Msrini

Answer 2

Hi, 

Do you have any update on this issue? 

Please 'Mark as answer' if any of the replies helped, so that others in the community who are looking for similar question, can benefit from it.

Regards, 

Msrini

Answer 3

I received the same email. I'm not sure how to identify if we are using UDP ports at all. What are my steps to troubleshoot or identify what is being communicated in the email based on the 1st posters detail?

Answer 4

It looks like same issue. So, please refer this thread.

Answer 5

Hi, 

Do you have any update on this issue? 

Please 'Mark as answer' if any of the replies helped, so that others in the community who are looking for similar question, can benefit from it.

Regards, 

Subhash

Answer 6

I received the same letter. I did not find any reasonable thread to help, so I reached out to a colleague that is more versed in network administration and system administration. He said the VM should not have been given an external IP and that it's only using LDAP/UDP for active domain services. He recommended wiping the machine an re-creating it since it's already been out in the wild and compromised. We rebuilt it and hardened it properly. I don't know how to harden a windows server in Azure with Active Domain services - but he does!!

Answer 7

Hi James, 

If you want to harden your Infrastructure, as your colleague suggested you can remove the Public IP of the VM which is under risk. 

If you don't want to remove the Public IP address, you can add a rule in NSG to block all Incoming UDP packets. Then you can go ahead and allow UDP port for services like DNS, LDAP with Specific source IP to harden your environment. 

Regards, 

Msrini