DDoS attack solution of CentOS on NTP service

Introduction: On the network, the Linux server is a great way, but also the attack. This article will describe the NTP attack problem encountered in practice and the corresponding solution.

1. Scene description

Aliyun on the ECS, over a period of time, frequent alarm, said the traffic is too large, the DDoS attack, the service will be isolated, and stop responding to service for a period of time, flow clear. In short, the service was blocked by DDoS, not available.

2. Analysis

Access to the log information cap file is obtained by submitting a work order. After opening, you see a lot of NTP service information:

	0.000140	188.162.1.140	115.29.44.161	NTP	482	NTP Version 2, private

After Port-and process-based lookups, which are based on 123-port connection requests that are heavily resource intensive, and 123 ports are ports for NTP services, it is largely determined that the NTP service is caused by repeated requests from outside.

3. What is NTP.

NTP server "Network Time Protocol (NTP)" is a protocol used to synchronize computer times, which allows computers to synchronize their servers or clock sources (such as quartz clocks, GPS, etc.) It provides high precision time correction (the LAN is less than 1 milliseconds on a wan, dozens of milliseconds on the WANs), and can be used to prevent malicious protocol attacks by means of encryption acknowledgement. Time is propagated at the level of the NTP server. All servers are grouped into different stratum (layers) According to the distance from the external UTC source.

reference information; http://baike.baidu.com/link?url=y5y33eP0oLaSRg6pPMGDM6i-KPDxHwAQuHh84SAn_ jbayzswquet2fwsadurmn3uu7meva-zcib6wcdcrqsa8k

4. How to Solve:
Server behavior:

Because the service on your machine is improperly configured, which causes hackers to use DDoS attacks, the machine is full of external bandwidth, the use of grab tools, you can see a large number of the same source port packets out. Linux System:

Hardening NTP Service:

1, through the Iptables configuration only allow trusted IP, access to the local UDP 123 port, modify the configuration file to perform the echo "Disable Monitor" >>/etc/ntp.conf, and then restart the NTP services, service NTPD Restart.

2, it is recommended that you directly shut down NTP services, the implementation of service NTP stop, and prohibit its boot from the start of the execution Chkconfig ntpd off.

Strengthening Chargen service:

1, through the iptables configuration to allow the trust of IP, access to the local UDP 19 port.

2, it is recommended that you directly close off the Chargen service, edit the configuration file "/etc/inetd.conf", using the # annotation Chargen service, restart inetd. Windows system:

Hardening Simple TCP/IP services:

1, through the firewall configuration, only allow trusted IP, access to native UDP, TCP 19, 17 ports.

2. We recommend that you turn off the service directly as shown in the following diagram, and prohibit it from starting.

reinforcement for Web applications:

the Pingback of WordPress:

1, you can add WordPress plugin to prevent Pinback from being exploited, add the following filter:

Add_filter (' Xmlrpc_methods ', function ($methods) {
unset ($methods [' pingback.ping ']);
return $methods;
} );

2, we recommend that you directly delete the file xmlrpc.php.

5. Reference: https://help.aliyun.com/knowledge_detail/37527.html