Deny UDP Attack Ports with FortiDDoS ACLs

This recipe shows you how to deny UDP Attack Ports with FortiDDoS ACLs

Deny UDP attack ports with FortiDDoS ACLs – overview

Several UDP Ports are used only for malicious scanning and DDoS attack traffic and have no value for any legitimate application on the Internet. You can safely ACL these UDP attack ports permanently without affecting good traffic in your network. 

ISPs can also deny these UDP attack ports but best practices would suggest publishing a list of blocked ports for customer inspection.  Please see the BITAG Port Blocking document.

FortiDDoS’ unique architecture allows very large ACLs in hardware. All mitigation, including ACLs, is done via the FortiDDoS TP2 processors which are custom-created, massively-parallel transaction processors for DDoS Mitigation and ACLsThe ACLs are coded directly into the TP2, changing the structure of the processor. This allows very large ACLs with no performance penalty.  ACLing these UDP attack ports will not affect the performance of the system. You can use FortiDDoS to offload other network elements from dealing with these ACLs.

The script linked below can be used to set up SPP-based Service ACLs using the FortiDDos CLI. These ACLs can be added before or after adding other SPP ACLs. 

The list below details the UDP ports blocked using this script. If for some reason, you do not wish to block some of these ports, you can download and edit the script, or delete the ACL Policies via the GUI, after adding to the FortiDDoS via the script.

Remember, data rates are learned and System Recommended Thresholds are set for all 65,535 UDP ports in each SPP, so DDoS attacks on UDP ports will be detected and mitigated even if these ports are not ACLed. These ACLs “clean” your network of undesirable scans and drop all attacks to these ports regardless of the port Thresholds.

UDP attack ports denied

13 – Daytime

 

Obsolete ports used only for reflected DDoS attacks.

17 – QOTD
19 – CHARGEN
69 – TFTP An unsecured port that allows enormous reflected floods by requesting file transfers to target IPs.
111 – Portmapper/ONC RPC/SunRPC An unsecured port that when exposed on the Internet responds with a full port map of the server, used for reflected attacks.
137-139 – NetBIOS NetBIOS is intended for LAN communications but can be exposed to the internet, particularly on UDP 138 where it can be used for reflected attacks.
389 UDP 389 supports Connection-less LDAP (CLDAP) which was designed for LAN usage but gets exposed to the Internet, particularly by Windows Active Directory servers. UDP Queries can result in large responses, making them ideal for reflected attacks.
1900 UDP 1900 is used for the SSDP/UPnP protocol that again, is designed for use on the LAN (to auto-identify services like printers). Some home routers expose it to the Internet where the port continues to be heavily used for reflected attacks.
5353 mDNS is a zero-configuration DNS-like multicast service for the LAN but misconfigurations can result in unicast reflected attacks.
11211 – memcached “memcached” is a general-purpose distributed memory caching system available for most operating systems. Default configurations expose the UDP memcached UDP port 11211 to the internet and when exploited by attackers results in massive reflected floods – essentially a cache dump to the target. The industry quickly responded and closed most of the open server ports.

Adding UDP attack port ACLs

1. Gathering needed information

FortiDDoS Service ACLs (which include UDP ports) are applied per Service Protection Profile (SPP).  The CLI script below is intended to ease the repetitive task of entering these ACLs into each SPP where you want this protection.

Login to the FortiDDoS GUI.

Navigate to Global Settings > Service Protection Profiles > Config

Record all Service Protection Profile (SPP) Names shown on this page where you wish to create the UDP attack port ACLs.

Note, names are case sensitive and must match exactly.  You can cut and paste the names from the GUI to a text editor or a Word document.

In the screenshot at right, you can see 3 SPP Names:

  • SPP-0
  • Web
  • DNS
SPP Names
SPP Names in GUI

2. Accessing CLI

Open PuTTY or other SSH client and login to FortiDDoS.  Be sure you are at the command prompt:

<hostID/SerialNumber> #

3. Accessing UDP attack ports ACL script

 

Return to your browser and navigate to the link here to open the ACL Script. Keep this tab open.

UDP Port ACL Text Script
UDP Port ACL Text Script

4. Navigating to SPP configuration in CLI:

In the PuTTY CLI window, enter:

# config spp
(spp) # edit <1stSPP Name from your list (eg. SPP-0)>
(SPP-0) #

5. Entering UDP attack ports script via CLI

 

Copy and Paste the entire script from the browser tab in #3 above into the PuTTY window.

Cut/Paste Script in CLI
Cut/Paste Script in CLI

6. Confirming UDP attack ports ACL Entries

Return to FortiDDoS GUI.

Navigate to Protection Profiles > Service Config.
Select the correct SPP in the top-right corner of GUI.

Confirm that there are 10 Service (UDP attack ports) definitions.

FortiDDoS Protection Profiles > Service Config
FortiDDoS Protection Profiles > Service Config
 

Navigate to Protection Profiles > Access Control List

Confirm that there are 10 ACL Policies.

 

 
FortiDDoS Protection Profiles > Access Control List
FortiDDoS Protection Profiles > Access Control List

7. Continuing for remaining SPPs

 

Return to step 4 and repeat:

# config spp 
(spp) # edit <the next SPP Name in your list (eg. Web)>
(Web) #

Complete steps 5-6 again and continue with every SPP in your list.

 

8. Removing UDP attack ports ACLs (per SPP)

If you wish to remove any the UDP Port ACLs in any SPP:

Navigate to Protection Profiles > Access Control List.

Select the SPP in the top-right corner.

Select the row(s) to delete.

Click Delete.

Then:

Navigate to Protection Profiles > Service Config.

Select the row(s) to delete.

Click Delete.

Repeat for each SPP as required.

 
Delete ACL Policies
Delete ACL Policies
Delete SPP Service ACLs
Delete SPP Service ACLs

Remember: SPP ACLs will only be enforced in SPPs that are in Prevention Mode. If the SPP (per direction) is in Detection Mode, ACL drops will be displayed but the packets will be allowed to pass.

Port ACLs are blocked as Sources or Destinations. For example, if the inbound direction is in Prevention Mode, packets inbound from UDP Port 1900 to any port or from any port to port 1900 will be blocked. If the outbound direction is in Detection Mode, outbound queries to 1900 will be allowed but responses will be blocked. There will be no outbound responses because the inbound queries are already blocked.

For further reading on FortiDDoS ACLs, check out:

FortiDDoS Global Address ACLs
FortiDDoS Global Access Control Lists
FortiDDoS SPP Address ACLs
FortiDDoS SPP Service ACLs
FortiDDoS SPP Access Control Lists

\r\nNOTE TEXT GOES HERE\r\n
For example, UDP Port 1900 (SSDP) is used on the LAN for Universal Plug and Play (UPnP), supporting automatic discovery of printers and other devices on home LANs.  Attackers have discovered that some home routers leave this port exposed on the WAN interface and if queried, respond with a complete list of devices and other information. Since this is UDP, the attacker can spoof the target IP as the Source of the query and the target gets attacked by a reflected/amplified response from UDP Port 1900. Port 1900 has no legitimate use in the WAN.
Unlike competitors, FortiDDoS does not use x86 processing for any traffic monitoring or mitigation and thus can inspect 100% of all passing data packets.
Shadowserver.org has found more than 34,000 QOTD and 28,000 CHARGEN  servers responding to queries.
Shadowserver is seeing almost 4 million servers responding to TFTP queries.
Shadowserver is seeing more than 1.8 million responding servers with more than 70,000 providing a list of services (amplification).
Shadowserver is seeing almost 500,000 responding servers.
Netlab360 has identified more than 200,000 servers being used for CLDAP reflection attacks. Blocking these IPs is not recommended since they are often also DNS resolvers for enterprises.
Shadowserver.org suggests that there are over 3.1 million home routers on the Internet that respond to port 1900 queries.
Shadowserver has seen over 800,000 devices responding to mDNS queries.
As of 2019/01, Shadowserver is seeing  3300 open UDP 11211 ports responding (down from 88,000 in early 2018),  but new servers come online frequently and attackers are constantly scanning looking for servers to exploit.
We recommend placing SPP-O in Prevention Mode in both directions. Compromised inside devices will send UDP queries to various known reflector ports with the spoofed IP address of the ultimate target. Prevention Mode will block these outgoing queries and prevent your devices from participating in reflected flood attacks.