Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access (i.e. 0.0.0.0/0) on UDP ports in order to implement the Principle of Least Privilege (POLP) and effectively reduce the attack surface. UDP or User Datagram Protocol is a communication protocol used across the Internet for time-sensitive transmissions such as video streaming or DNS lookups. With UDP, the data can be transferred very quickly, but it can also cause packets to become lost in transit and this can create opportunities for malicious activities such as DDoS attacks.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Unrestricted UDP access can allow attackers to use DDoS amplification techniques to reflect spoofed UDP traffic from your Azure virtual machines. The most common types of attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network (VNet), or even attack connected devices running outside of the Azure network.
Audit
To determine if your Azure network security groups allow unrestricted access on UDP ports, perform the following operations:
Remediation / Resolution
To update your Azure NSG rule(s) configuration in order to restrict UDP access to trusted entities only such as administrator IP addresses, perform the following operations:
References
- Azure Official Documentation
- Azure network security overview
- Network security groups
- Create, change, or delete a network security group
- Azure best practices for network security
- Azure Command Line Interface (CLI) Documentation
- az-mysql-server
- az-network-nsg-list
- az-network-nsg-rule-list
- az-network-nsg-rule-update