Skip to Main Content

ARD/ARMS abuse and securing MacOSX devices against DDoS Amplification attacks

Recently a significant number of UCLA hosts running MacOSX participated in a DDoS amplification attack that leveraged the Apple Remote Desktop (ARD) or Apple Remote Management Service (ARMS) services, which provides Remote Desktop and management services on MacOSX devices using UDP Port 3283.

Recommended steps to harden MacOSX against these attacks:

1. Enable the MacOSX application firewall (if it is not already enabled). Apple > System Preferences > Security & Privacy > Firewall - select the Turn on Firewall button. Check the "Automatically allow built-in software to receive incoming connections" and "Automatically allow downloaded signed software to receive incoming connections" boxes.

Be careful with the "Enable Stealth Mode" check box.  Once "Enable Stealth Mode" is clicked, under System Preferences > Security & Privacy > Firewall (with firewall status: On) > Firewall  Options..., MacOSX executes "pfctl -e" in the background, which will enable “pf” services (packet filter firewall) and maintain persistence through system reboots.
Keep in mind though, "Enable Stealth Mode" also disables echo reply and the device will no longer respond to ping requests - if you need to have ping capability, do not “Enable Stealth Mode” by checking the box.
 
2. Disable Apple Remote Services (ARD/ARMS) if these services are unnecessary. (If your department uses and needs these services, skip Step 2).

Apple —> System Preferences —> Sharing —> Remote Management (uncheck the box); Screen Sharing (uncheck the box); Remote Login (uncheck the box).

3. Next configure local packet filter firewall rules on the Apple device using macOSX/OpenBSD's pf (packet filter) commands.

ARD/ARMS Amplification DDoS attacks are a relatively new variant taking advantage of the fact that macOSX's default firewall policies are defined per application, and not by network ports. [1] Security researchers at Netscout found that even with macOS firewall enabled on a macOS system, the computer would still listen for network traffic on UDP port 3283. [2] With their findings Netscout researchers suggest macOS systems with remote administration or remote desktop services enabled should only be accessible via VPN. 

However, Apple does ship macOS with OpenBSD's pf (packet filter) and firewall rules can be written with pfctl to restrict access at the network layer. The default location of macOS pf rules are /etc/pf.conf. Before making changes, UCLA IT Security recommends making a backup of the default configuration (ie sudo cp -p /etc/pf.conf /etc/pf.conf.bak). Additional rules can be appended at the end of the file, below the default rules configured by Apple.

By default the "pf" packet filtering local firewall is disabled by Apple.  If you have not already enabled it by checking  “Enable Stealth Mode” when you turned on the local application firewall in Step 1 above, it will need to be enabled from the terminal, using the command "sudo pfctl -e".

To configure "pf" to filter UDP port 3283 to block public internet traffic and only accept traffic from within UCLA subnet(s), add the following lines to the bottom of the /etc/pf.conf file below all other rules:

block return in proto udp from any to any port 3283
pass in inet proto udp from 169.232.0.0/16 to any port 3283 no state
pass in inet proto udp from 128.97.0.0/16 to any port 3283 no state
pass in inet proto udp from 149.142.0.0/16 to any port 3283 no state
pass in inet proto udp from 131.179.0.0/16 to any port 3283 no state
pass in inet proto udp from 164.67.0.0/16 to any port 3283 no state

Run a sanity check on the new rules before applying and enabling them as follows: "sudo pfctl -v -n -f /etc/pf.conf"

If no errors are printed on the terminal, use the command "sudo pfctl -f /etc/pf.conf" to flush the old rules and load the newly added ones.

References

[1] https://support.apple.com/en-us/HT201642
[2] https://www.zdnet.com/article/macos-systems-abused-in-ddos-attacks/
[3] https://github.com/drduh/macOS-Security-and-Privacy-Guide
[4] https://www.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp

This has been tested and works on any version of MacOSX “Leopard 10.5.1” and newer – to include the latest version “Catalina 10.15.1” .

This next step requires that You Reach Out to Your Department Network Administrator to do the following configuration:

4. Lastly, Restrict access to UDP 3283 via a network Access Control List(ACL) or via a department perimeter firewall to departmental or to UCLA IP address space. Request that users utilize the Campus VPN when attempting to connect from off-campus.

UCLA IP Ranges to allow: 169.232.0.0/16, 128.97.0.0/16, 149.142.0.0/16, 131.179.0.0/16, 164.67.0.0/16 (This will allow connectivity from the majority of the UCLA Campus network to include wireless, and via VPN).

Tags