Detections
Analytics

7.3 Ensure that UDP access from the Internet is evaluated and restricted

Information

Network security groups should be periodically evaluated for port misconfigurations. Where UDP is not explicitly required and narrowly configured for resources attached to a network security group, Internet-level access to Azure resources should be restricted or eliminated.

The potential security problem with broadly exposing UDP services over the Internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks exploit exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification sources to disrupt services on other machines within the Azure Virtual Network, or even attack networked devices outside of Azure.

Solution

Remediate from Azure Portal

 - Go to Network security groups.
 - Click the name of a network security group.
 - Under Settings, click Inbound security rules.
 - Check the box next to any inbound security rule matching:
 - Port: Port: 53, 123, 161, 389, or 1900, or range including 53, 123, 161, 389, or 1900, or other vulnerable UDP-based services
 - Protocol: UDP or Any
 - Source: 0.0.0.0/0, Internet, or Any
 - Action: Allow

 - Click Delete.
 - Click Yes.
 - Repeat steps 1-6 for each network security group requiring remediation.

Remediate from Azure CLI

For each network security group rule requiring remediation, run the following command to delete the rule:

az network nsg rule delete --resource-group <resource-group> --nsg-name <network-security-group> --name <rule>

See Also

https://workbench.cisecurity.org/benchmarks/21611

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, CSCv7|9.2

Plugin: microsoft_azure

Control ID: 36b9ec83405d44c9133ffeb3e718e51645e97db0c0f9f7b2b6b8a3a1c63b80c1