UDP Internet access is not restricted

ID

udp_access_restricted

Severity

high

Vendor

Azure

Resource

Networking

Tags

reachable

Description

UDP Internet access should be restricted.

Exposed UDP port exposes you to potential participation in a Reflective DDoS attack.

In short, an attacker sends a packet with a forged origin (the target of the attack) that your UDP port then responds to. The attacker does this with thousands of exposed UDP ports across the globe, all sending large responses to the forged origin resulting in a packet flood to that forged origin.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "bad", (1)
      "type": "Microsoft.Network/networkSecurityGroups/securityRules",
      "location": "[resourceGroup().location]",
      "apiVersion": "2019-11-01",
      "properties": {
        "protocol": "udp",
        "destinationPortRange": "443",
        "sourceAddressPrefix": "*",
        "access": "Allow",
        "direction": "Inbound"
      }
    }
  ]
}
1 is a resource not restricting UDP internet access.

Terraform

resource "azurerm_network_security_rule" "udp" {
  name                       = "udp-open"
  priority                   = 100
  direction                  = "Inbound"
  access                     = "Allow"
  protocol                   = "Udp"
  source_port_range          = "*"
  destination_port_range     = "*"
  source_address_prefix      = "*"
  destination_address_prefix = "*"
}

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "good", (1)
      "type": "Microsoft.Network/networkSecurityGroups/securityRules",
      "location": "[resourceGroup().location]",
      "apiVersion": "2019-11-01",
      "properties": {
        "protocol": "udp",
        "destinationPortRange": "443",
        "sourceAddressPrefix": "GatewayManager",
        "access": "Allow",
        "direction": "Inbound"
      }
    }
  ]
}
1 is a resource restricting UDP internet access.

Terraform

resource "azurerm_network_security_rule" "udp" {
  name                       = "udp-closed"
  priority                   = 100
  direction                  = "Inbound"
  access                     = "Deny"
  protocol                   = "Udp"
  source_port_range          = "*"
  destination_port_range     = "*"
  source_address_prefix      = "*"
  destination_address_prefix = "*"
}