How to handle ntp server exceptions
Preface:
First, what is a reflection amplification attack?
NTP is transmitted over UDP, so the source address can be forged.
There is a type of query command in the NTP protocol. A short command can be used to send a long message to the server.
Amplification attacks are based on such commands.
For example, James asked Li Lei in the name of Wu Yifan, "who are there in our class ?" Li Lei answered Wu Yifan and said, "Who, who and who ......" (Hundreds of characters)
At the cost of 8 words, James sent hundreds of words to Wu Yifan, which is called a amplification attack.
Generally, NTP servers on the network have a high bandwidth. Attackers may only need 1 Mbps of upload bandwidth to spoof the NTP server to bring hundreds of thousands of Mbps of attack traffic to the target server, achieve the effect of killing with a knife. So now the new ntpd can turn off the query function except time synchronization through the configuration file. The time synchronization query and return are the same size (if you remember correctly), so you cannot use it as a amplification attack.
The following describes the ntp server exceptions:
The ntp server is a physical server. Each network adapter on the Intranet and Internet is directly connected to the access switch.
High Internet traffic. By checking the traffic on the switch port, you can find that the traffic on the Access Switch Port connected to the ntp server is abnormal. shutdown the port and the traffic is normal. Internet traffic diagram during Spring Festival
Through analysis,
There are two reasons for this hacker attack:
1. The firewall does not work, and the ACL Policy is not configured. hosts exposed to the public network must restrict access network segments;
2. Whether the resident cloud has anti-DDOS and other related security devices. hosts exposed to the public network must be reinforced in a timely manner;
Solution:
Attacked data port: UDP port 123.
I. Reinforce the NTP service:
Modify the configuration: vi/etc/ntp. conf # Note: The ntp server system is centos5.5, and the paths of other systems may be different.
1. First, all client operations are rejected by default. Code:
Restrict default kod nomodify notrap nopeer noquery # or restrict default ignore
Restrict-6 default kod nomodify notrap nopeer noquery # reject IPv6.
2. Then allow all operations on the local address. Code:
Restrict 127.0.0.1
Restrict-6: 1 # IPv6,
3. Then, allow a certain IP segment in the LAN to perform time synchronization. Code:
Restrict 10.120.189.0 mask limit 255.0 nomodify
4. Restart the ntp service.
Centos configuration example:
Important: if you do not need the NTP service, disable the NTP service and use the command to synchronize the time:
# Ntpdate 192.168.100.254 & hwclock -- systohc
You can add this command to crontab and regularly execute it.
*/30 * ntpdate 192.168.100.254 & hwclock-systohc>/dev/null 2> & 1 # synchronize data every 30 minutes and synchronize hardware time
Other reinforcement:
1. Upgrade the NTP server
2. disable the current NTP monlist function and add the "disable monitor" option to the ntp. conf configuration file.
3. Disable UDP port 123 at the network exit
Ii. Defense Against NTP reflection and amplification attacks
1. Because this attack has obvious features, you can use the network layer or the carrier to implement ACL protection.
2. Use anti-DDoS devices for cleaning
The above solution is for me:
1. disable the monlist function of the NTP service, and add the "disable monitor" option in the ntp. conf configuration file:
Practice has proved that this method is very effective!
2. Disable UDP port 123 at the network Exit:
Because many devices need to synchronize clock to the attacked server, blocking UDP port 123 is unrealistic for me.
3. Use the network layer or the carrier to implement ACL protection:
Because it involves the production system and is not proficient in firewalls and switches, it does not consider adding an ACL rule policy to defend against NTP attacks.
We hope that our colleagues will give better suggestions. You are welcome to provide better solutions!