NTP反射放大攻击（二）攻击场景搭建

NTP反射放大攻击场景搭建

原理

攻击者冒充受害者（NTP客户端）的ip地址，向NTP服务器发送请求消息（很小），ntp服务器收到消息后向受害者返回响应数据包（很大）

三台机器均为centos7.5

安装NTP服务器

一般情况下，选择基本的桌面版安装环境，默认是已经装了的。如果没有安装，参照下面安装步骤

1. yum install -y ntp
2. 修改/etc/ntp.conf 配置文件

	# For more information about this file, see the man pages
	# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
	
	driftfile /var/lib/ntp/drift
	
	# Permit time synchronization with our time source, but do not
	# permit the source to query or modify the service on this system.
	#restrict default nomodify notrap nopeer noquery
	
	# Permit all access over the loopback interface.  This could
	# be tightened as well, but to do so would effect some of
	# the administrative functions.
	restrict 127.0.0.1 
	restrict ::1
	
	# Hosts on local network are less restricted.
	#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
	
	# Use public servers from the pool.ntp.org project.
	# Please consider joining the pool (http://www.pool.ntp.org/join.html).
	
	server 0.centos.pool.ntp.org iburst
	server 1.centos.pool.ntp.org iburst
	server 2.centos.pool.ntp.org iburst
	server 3.centos.pool.ntp.org iburst
	
	#broadcast 192.168.1.255 autokey	# broadcast server
	#broadcastclient			# broadcast client
	#broadcast 224.0.1.1 autokey		# multicast server
	#multicastclient 224.0.1.1		# multicast client
	#manycastserver 239.255.254.254		# manycast server
	#manycastclient 239.255.254.254 autokey # manycast client
	
	# Enable public key cryptography.
	#crypto
	
	includefile /etc/ntp/crypto/pw
	
	# Key file containing the keys and key identifiers used when operating
	# with symmetric key cryptography. 
	keys /etc/ntp/keys
	
	# Specify the key identifiers which are trusted.
	#trustedkey 4 8 42
	
	# Specify the key identifier to use with the ntpdc utility.
	#requestkey 8
	
	# Specify the key identifier to use with the ntpq utility.
	#controlkey 8
	
	# Enable writing of statistics records.
	#statistics clockstats cryptostats loopstats peerstats
	
	# Disable the monitoring facility to prevent amplification attacks using ntpdc
	# monlist command when default restrict does not include the noquery flag. See
	# CVE-2013-5211 for more details.
	# Note: Monitoring will not be disabled with the limited restriction flag.

注：一定要删除最后一行 disable monitor
关于对ntp.conf配置文件的说明，参照下一篇博客

3. 启动ntpd服务并查看状态

启动NTP服务，并设置为开机自启动

	systemctl start ntpd           
	chkconfig ntpd on

等待10-15分钟后执行 ntpstat 查看同步状态：

执行ntpq -p 查看与阿里云ntp服务器连接状态：

4. 打开防火墙123端口
   由于ntp服务使用 123端口udp协议 所以需要打开防火墙。
   irewall-cmd --zone=public --add-port=123/udp --permanent
firewall-cmd --reload

安装ntp客户端

1. yum install -y ntp
2. 修改/etc/ntp.conf 配置文件

注释掉自带的

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

加入

server 10.112.254.141
fudge 10.112.254.141 stratum 10

3. ntpdc -n -c monlist 10.112.254.141
   
   返回这样的信息即说明配置成功，并且存在漏洞