Asked by:
Azure VM appears to operate a vulnerable UDP (LDAP) amplification service and participated in a DDoS attack

Question
-
Hi All,
I have received an email from Microsoft regarding one of the VM's in my Azure test environment:
Azure VM in your subscription appears to operate a vulnerable UDP (LDAP) amplification service and participated in a DDoS attack.
Please consider reconfiguring this server in one or more of these ways:
- Disable vulnerable UDP amplification ports if not used.
- Add firewall rules to allow connections from authorized endpoints but block connections from all other hosts.
Can someone please help me understand what ports should be blocked? I had ports 80 and 53 open and have blocked both.
All replies
-
Hi,
If you are not using UDP ports, try adding a rule to block all UDP ports for security measures. If you are using any specific UDP ports, add a new rule with higher priority to allow those specific ports.
Regards,
Msrini
- Proposed as answer by msrini - MSFTMicrosoft employee, Moderator Monday, May 13, 2019 1:34 PM
-
-
-
-
-
I received the same letter. I did not find any reasonable thread to help, so I reached out to a colleague that is more versed in network administration and system administration. He said the VM should not have been given an external IP and that it's only using LDAP/UDP for active domain services. He recommended wiping the machine an re-creating it since it's already been out in the wild and compromised. We rebuilt it and hardened it properly. I don't know how to harden a windows server in Azure with Active Domain services - but he does!!
- Proposed as answer by James D. Bailey Tuesday, June 25, 2019 3:12 PM
- Edited by James D. Bailey Tuesday, June 25, 2019 3:13 PM
-
Hi James,
If you want to harden your Infrastructure, as your colleague suggested you can remove the Public IP of the VM which is under risk.
If you don't want to remove the Public IP address, you can add a rule in NSG to block all Incoming UDP packets. Then you can go ahead and allow UDP port for services like DNS, LDAP with Specific source IP to harden your environment.
Regards,
Msrini