Network security has always been a hot topic of discussion. For Internet companies, there is no security and no survival.
Gao Hongliang, Product Architect of NetEase Cloud Yidun
Today, with the increasing prevalence of attacks, how to ensure enterprise security has become a research hotspot. At the Architecture and Operation and Maintenance Technology Summit Forum on April 14, Gao Hongliang, a product architect from NetEase Yunyidun, shared the analysis of enterprise network security threats and the practice of network security services SaaS services on this issue.
State of Network Security
The current security threats are classified into three aspects: service stability security, data security and operational security.
One is the stability and reliability of services: on the one hand, it depends on the stability and reliability of the information system itself, especially after the cloudification of the information system, the influencing factors increase. Such as: virtual machine performance, virtual machine migration mechanism, network link redundancy, information system disaster recovery mechanism, etc.; on the other hand, the impact of external attacks, such as DDoS attacks, DNS domain name hijacking, etc., are comprehensively determined by two factors The stability and reliability of system services are ensured.
The second is data security: data security issues mainly focus on two aspects: data leakage and data tampering. The recent Facebook user data leakage problem reflects the harm and seriousness of data leakage. The main reason for the incident was that it cooperated with other companies and did not verify the data destruction process, which led to the consequences of data leakage by the partners, which brought Facebook an unprecedented enterprise survival problem and caused more Internet companies to pay attention to data protection. This incident also fully reflects the principle of "three-point technology and seven-point management" of enterprise security. In addition to the data leakage problem caused by internal management mechanism or personnel problems, the harm caused by external network attacks cannot be ignored. Common WEB application attacks, system-level exploits, and more complex targeted APT attacks all bring serious harm to the survival, operation, and even national security of enterprises.
The third is operational security: phishing websites, fake applications, and spam content. These problems seriously affect the user experience, endanger the interests of users, and cause reputation damage and profit damage to enterprises.
Status of DDoS attacks
From the statistical data, we can see several characteristics of DDoS attacks:
1. The south suffered more DDoS attacks, among which Zhejiang Province suffered the most;
2. The scale of DDoS attacks on telecommunications lines is relatively large, often reaching the TB level;
3. In terms of attack duration, two-thirds of the DDoS attacks lasted less than 10 minutes, while the attacks lasting from 10 minutes to 1 hour accounted for about 30.5%, and less than 0.1% of the attacks lasted more than an hour.
Why are DDoS attacks so rampant?
First, the attack benefit chain is mature, and the attack cost is getting lower and lower. The DDoS attack underground industry chain can provide a complete set of complete services, including various packages, of which DDoS attack services can be purchased for tens of yuan a month.
Second, the scale of attack traffic is increasing year by year. On the one hand, the bandwidth of individuals and enterprises is increasing. On the other hand, due to the large-scale use of smart home and Internet of Things devices, weak security protection gives attackers more opportunities to exploit, and it is easy to Form a large-scale attack device cluster.
Third, it is difficult to trace the source. Because from the sending end of the attack command to the actual attacking server, there may be several jumps in the middle, coupled with technologies such as IP forgery, it is very difficult to find the source of the attack. For attackers, it's basically reassurance right now. In order to "trace the source and chase the culprit", it requires a very high cost and requires experienced offensive and defensive experts or teams to complete it. For the attacked, basically only passive protection.
Story Analysis: Memcache Reflective Attack
The protagonist of the story - the Memcache server. This server itself is the cache of some content accessed by the enterprise's application system for data access to speed up the response speed.
From a management perspective, the Memcache server, as a server for intranet applications, should not be exposed to the public network. However, there are still many companies' operation and maintenance managers who manage through the public network for the convenience of operation and maintenance. This is the basic premise of using Memcache to carry out DDoS attacks.
另一个关键因素是Memcache服务器,不存在身份验证的环节,任何人扫描到IP和端口,就可以访问。完成攻击的最核心的因素,是memcache访问的协议,请求memcache服务器之后,回复的数据的大小远高于请求的数据大小,形成了放大的效果,攻击者利用memcache服务器,伪造源IP,最后形成了反射放大型的DDoS攻击,攻击量达到5W倍,这样,一个超大规模的DDoS攻击方法就形成了,典型的事件是:GitHub遭受了超过T级的memcache服务器的反射放大型DDoS攻击。
值得注意的是,Memcache攻击,规模如此之大,但是它只是新兴的一种攻击手段。从DDoS的全部数据来看,它的占比不到百分之一。更多的还是一些已经的攻击手段,比如DNS反射性攻击、SSDP攻击(是利用物联网设备的1900端口进行反射性攻击)。
如何解决Memcache反射性攻击?
从Memcache服务器的规模分布来看,国内有超过2W台的可利用的Memcache服务器,全球有超过10W台的Memcache服务器。从影响规模来看,解决Memcache服务器反射性攻击问题已经刻不容缓了。
在分享中网易云易盾的产品架构师高洪亮建议,从预防阶段来看,需要Memcache服务器的运维管理者,关闭被利用的11211端口,将memcache服务器放置内网之中以避免被利用。但是,这个也不可能完全杜绝此类事件的发生,毕竟有人为因素在,互联网上还是会存在可被利用的设备。那么对于对于已经形成的攻击,受攻击者可以利用云清洗服务进行防护。
DDoS攻击分类及防护情况
攻击分类:
DDoS攻击的分型,从效果上来看,可以分为两种。第一种,消耗带宽资源的。典型的就是反射性的流量攻击。
第二种,就是耗尽服务器的资源的:服务器的连接数、服务器的CPU、提供域名解析的DNS服务器。都属于资源,通过占用服务器资源,使服务器无法对外提供服务,从而达到攻击效果。典型的如CC攻击,或者对DNS服务器,大规模查询不存在的网址以消耗DNS服务器的资源,从而形成间接的对服务器的攻击。
防护情况:
对于DDoS攻击,国内目前来看,防护手段不外乎三种:本地化部署安全设备、云端流量清洗、移动运营商的清洗系统及路由黑洞策略。
三种防护方法,从投入成本,适用场景,来看均有所不同。所以用户还需要根据自身的情况来选择合适的防护方案。
网易云易盾是如何解决这一难题的?
网易云抗D三部曲:
1. 网易在电信、联通、移动大区入口部署了高防清洗集群;
2. 高防客户的业务流量,先引流到网易云高防机房进行清洗防护;
3. 清洗完成后,用户的业务流量,可通过高防IP转发回客户源站服务器。
接入云抗D之前,用户是直接访问服务系统。接入云抗D之后,访问数据先到易盾的云清洗的高防机房,流量经过清洗之后,高防机房将正常的业务流量再回传给实际的服务器。
这里有两个前提,首先防护的业务是通过域名来访问的,第二,就是上了高防业务之后,用户系统实际的IP要对外隐藏,避免攻击方绕过云清洗系统直接攻击IP。
在实际的防护过程中,流量要经过数道清洗。在检测的方式上,主要是通过阈值和数据特征以及行为分析等算法模型来进行检测,如:客户端真实性验证等、黑名单、ACL管控、流量限速的方式。
网易云易盾云抗D服务,对于四层攻击、七层攻击,能够进行全面的检测和防护。在策略配置上,预置有多套模板,可以根据业务具体情况来进行针对性的配置,并且支持向导性配置。在业务流量状态展示上,支持多种维度的图形界面展示。
在整体的防护能力上,目前网易云易盾,支持三线运营商的业务防护。提供1T的超大带宽防护,SLA可用性达到99.9%。
After the service is connected to the anti-D, the delay time is within 100MS.
In terms of business access, we support NetEase Cloud customers and non-NetEase Cloud customers, and it only takes 5 minutes to complete the access. Generally divided into four steps:
1. Purchase high-defense IP in the Yidun console, and select China Unicom/Telecom/Mobile line;
2. Configure forwarding rules for Anti-DDoS Pro IP, and forward the cleaned traffic to the source station IP;
3. Configure the protection strategy;
4. Switch the service DNS to point to the Anti-DDoS Pro IP.
Where is NetEase Cloud Yidun leading?
DDoS protection: It can effectively intercept malformed packets and defend against 4-layer attacks such as SYN Flood, ACK Flood, ICMP Flood, UDP Flood, NTP Flood, SSDPFlood, and DNS Flood.
CC protection: Effectively defend against 7-layer attacks such as CC attacks and HTTP Flood through JS verification, browser fingerprinting, ACL and other technologies.
Container isolation: Separate cleaning containers are allocated for different high-defense IPs, and different containers are isolated from each other to ensure that different high-defense IPs do not affect each other.
Elastic protection: After selecting elastic protection, when the attack exceeds the basic protection peak, the business will continue to be protected by NetEase Cloud Yidun.