none
How do I resolve this UDP amplification issue? DDOS? RRS feed

  • Question

  • I received this email recently from Microsoft. It appears I need to harden something. I'm not a network administrator and need some guidance on what steps to follow in the Azure portal to address this. 

    Would be nice if Microsoft included links, instructions and more details in emails like this...

    ------------------

    An Azure VM in your subscription appears to operate a vulnerable UDP amplification service and participated in a DDoS attack. Please consider reconfiguring this server in one or more of these ways:

    1. Disable vulnerable UDP amplification ports if not used.
    2. Add firewall rules to allow connections from authorized endpoints but block connections from all other hosts.

    You are responsible for addressing complaints from third parties regarding your use of Microsoft Azure, including any use by your end users. The Microsoft Azure Acceptable Use Policy and other agreement terms can be found at http://azure.microsoft.com/en-us/support/legal.

    If you are surprised by this activity on your Microsoft Azure deployment, have additional questions, or believe you have been identified by mistake, please create a support ticket.

    Thank you, Microsoft Azure Safeguards Team

    Cyber Defense Operations Center

    Subscription and Deployment information

    • Subscription ID: redacted
    • VM Azure ID: /subscriptions/redacted
    • IP Address: redacted
    Friday, June 21, 2019 4:48 PM

All replies

  • Hello James,

    In order to avoid UDP amplication DDoS attacks then there should be a blockage on UDP ports. If you are not aware of the UDP ports you can check the list here and compare with your NSG rules. If there are any open UDP ports which are not required for now then you can block them in your NSG.
    Here is a reference doc for you to work with NSG rules.

    you can even set a rule to completely block all UDP traffic with the below rule but it might affect some of the services in your infrastructure that were using them.

    

    If you think your question has been answered click "Mark as Answer" if just helped click "Vote as helpful". This can be beneficial to other community members reading this forum thread.
    ________________________________________________________________________________

    Best regards
    Subhash





    Tuesday, June 25, 2019 11:02 AM
    Moderator