Servers send packets to external devices through the NTP service

 For the first time since the O & M, the problem of server paralysis due to attacks has been solved. All the solutions are handled by feeling the stones and crossing the river. This experience also gave me a security lesson.

At ten o'clock A.M. on the 14th, all services running on the server were paralyzed, and the Internet could not be accessed and the server could not be remotely logged on. The IDC confirmed that the server Nic traffic was abnormal and the speed reached 60 m/s. Instead, I had to go to the data center. I really didn't want to go there because of the radiation problem. It was just too cold, and I couldn't stand it when I was there for ten minutes.

Log on locally to view CPU and memory usage. The only abnormal CPU usage is the NTP service (time synchronization protocol ). You can use lsof to check all opened NTP files. I had to capture the packet and check what was sent. Tcpdump-I specifies the port of the network port, and a large number of NTP service packets are sent to different foreign IP addresses. First, the local machine does not have other services related to foreign IP addresses, which is suspicious. I tried to stop the NTP service first, and the network adapter outgoing traffic immediately dropped to a normal level. The problem is found. The cause is unknown. I tried to ask other people and found that there are many attacks recently, collectively referred to as "NTP reflection amplification attack". Its principle is:

1. Use the natural weakness of UDP protocol, that is, data can be directly sent to the client without establishing a connection in the early stage;

2. There are a large number of open distributed ntpservers on the Internet to respond to synchronous requests.

3. A more powerful attack than DNS reflection amplification is a unique monlist function of NTP. (The monlist command can obtain the last 600 Client IP addresses that have been synchronized with the target NTP server. This means that a small request packet can obtain a large number of continuous UDP packets consisting of Active IP addresses ).

An NTP service is set on my server as a local time server. I did not expect to be used by someone else. an IP address queries my NTP server and returns n timesThe NTP response packet achieves the amplification effect. These packets are directed to other IP addresses to attack others. My solution is simple: I shut down the NTP port directly on the firewall.

This article is from the redking blog, please be sure to keep this source http://zhj14007.blog.51cto.com/2868469/1553420

Servers send packets to external devices through the NTP service