edit-icon download-icon

Resolution for reflective DDoS attacks on ECS

Last Updated: May 08, 2018

Symptoms

Some servers are vulnerable to DDoS attacks from hackers because of improper server settings. In this situation, you may experience full outgoing bandwidth. Furthermore, if you use a packet capture tool, you may discover that traffic is mostly originating from a single source port.

Resolution

For Linux

1. Harden NTP service

  1. Use the iptables tool to limit accesses to UDP port 123 to only trusted IPs.

    1. Modify the configuration file with the following command.
      echo "disable monitor" >> /etc/ntp.conf
    2. Restart the NTP service with the following command.
      service ntpd restart
  2. We recommend directly disabling the NTP service and disabling Auto-start, if you do not require this service.

    1. Execute the command service ntpd stop.
    2. Execute the command chkconfig ntpd off.

2. Harden Chargen service

  1. Use the iptables tool to limit access to UDP port 19 to only trusted IPs.
  2. We recommend disabling the Chargen service directly if you do not require it. To do this, edit the configuration file “/etc/inetd.conf”, comment out the Chargen service with #, and then restart the inetd service.

For Windows

1. Harden Simple TCP/IP service

Note: By default, simple TCP/IP service is not installed for Windows systems. If you do not use this service, skip this step.

  1. Configure the firewall to only allow trusted IPs to access both UDP and TCP ports 19 and 17.
  2. We recommend directly disabling the Simple TCP/IP service and disabling Auto-start, if you do not use this service.

2. Harden Web application

WordPress Pingback

  1. Add a plugin in WordPress to prevent Pingback. To do this, add the following filter:

    add_filter( ‘xmlrpc_methods’, function( $methods ) {
       unset( $methods[‘pingback.ping’] );
       return $methods;
    } );

  2. Delete the xmlrpc.php file directly.

Thank you! We've received your feedback.