Industrial security experts talk about DDoS countermeasures from the perspective of attack and defense

2020 Year can be said to be DDoS this “ classic ” The Renaissance of attack technology . Influenced by the global COVID-19 ,DDoS And it's getting bigger , The industry suffered from DDoS The frequency of attacks hit a new high . Past year ,DDoS The tactics of attack have become diversified , exceed 50Gbps And the number of attacks has increased dramatically . For many industries and enterprises , resist D There is a long way to go , There is a more serious security situation to face .

that ,2020 Become a year DDoS The year of the biggest increase in attacks , What is the reason why ？DDoS The trend of attack is significantly related to the situation of epidemic prevention and control , Where is the degree of relevance ？ Tencent security against DDoS What are the core strengths of the attack ？ By Tencent security joint cloud + Community built 「 Industrial safety experts 」 The 27th issue is invited to Tencent security DDoS Technical director of protection 、 Luo Xijun, R & D director , In depth reading 《2020 Tencent cloud in DDoS Threat white paper 》 The key content of , And share Tencent security in the anti D Practical experience on the road .

Q1:《 white paper 》 mention ,2020 Year is DDoS The year of the biggest increase in attacks , What are the reasons behind it ？

Luo Xijun ： We can look at this from the attacker's perspective . First , From the will 、 From the perspective of motivation , Last year, a sudden COVID-19 , It has brought great changes to people's way of life , Many activities have switched from offline to online , At the same time, it brings the rapid development of Internet services . Business is developing at a high speed , It will bring more opportunities to the attackers , Their profit margin is bigger ;

second , It's the ability of the attacker , Resources . In recent years IoT、5G Infrastructure is developing rapidly , meanwhile , Security issues will also arise , Such as weak password or some vulnerability problems , It's easy to get hacked , Make the device into “ chicken ”, Lead to DDoS attack ;

and , Now? DDoS There is also a tendency for attacks , It's the gradual instrumentalization of its attacks , Now it's called attack SaaS Service , It can lower the threshold for attackers . Imagine registering an account on a web page , Just click the mouse or call API The interface can launch an attack ;

Besides , The epidemic will also make attackers more motivated . Epidemic stimulates demand , Demand brings resources , Resources are in a continuous growth process , And the continuous growth of resources is strongly driven by motivation , So that attackers can make better use of resources .

Sum up , Attack motivation and attack resources make 20 There's been a big increase in the trend of attacks in the past year .

Q2: DDoS The trend of attack is significantly related to the situation of epidemic prevention and control , Where is the degree of relevance ？

Luo Xijun ： The relevance of the data is , People stay at home during the epidemic , Online business explosion , At this time, for Mafia gangs , It's a great opportunity to attack , It is bound to be more profitable than the period before home isolation 、 The effect is more obvious .

Take a simpler example , game . In the early morning or in the middle of the night , Few people go to play , So for the attacker at this point , They don't have much incentive to do evil , Because the fewer users , The lower the profit ; conversely , At the peak of the game , Like seven or eight in the evening or noon , There are many online users at this time , If you attack at this point , It will allow the attacker to gain greater benefits , It can also have a greater impact on users and the game industry .

Q3: The game industry is still the main industry under attack .2020 The game industry in DDoS How much threat does the attack pose ？ Whether the domestic game enterprises are seriously affected ?

Luo Xijun ： The game industry has always been DDoS One of the hardest hit areas under threat , data display ,2020 The proportion of attacks in the game industry has reached 78%, a 2019 Annual increase 28%. The reason is that , suffer DDoS The attack area is in line with the high development of the game industry , It's the same on a global scale , in other words , The game industry is interested in DDoS The impact felt by the attack is the most obvious .

Illustrate with examples , A player is attacked during the game , It's possible to get stuck , It's also possible to drop the line , No more reconnection , At this time, the player's experience of the product and the reputation of the product itself will be greatly affected .

and , Domestic game companies will encounter the same problem when they go to sea , There may be worse conditions overseas . On the one hand, the ability of overseas gangs may be stronger , On the other hand, it may be more difficult to take measures such as traceability abroad .

therefore , Domestic games are influenced by the sea DDoS The impact of the attack will be greater , For example, extortion is very common in recent years , And some unfair competition , Even some players maliciously seek profits in the game , Will affect the game industry . At present, for black production ,DDoS Attack is still their usual method .

Q4: Last year, a new type of UDP Reflection attack , What's the reason ？ Why are these new reflective attacks still concentrated in the game industry ？

Luo Xijun ： Actually UDP Reflection attack is an old attack technique , But last year we saw UDP There's something new here . last year 7 In May, researchers found that , Hackers use several new IoT equipment , utilize UDP Reflexes attack , And then America FBI There was a security alert against this threat , To American companies , Leading to black production to understand this technique , Then it will use this technique on a large scale , This is also 7 The reasons for the high proportion after may , Mapping out UDP Some changes in attack techniques .

Why is it still a game ？ There are several reasons , First of all , The game should ensure a good user experience , Need to keep latency low , So it will always be used in network protocol development UDP agreement ,UDP Reflection is also used UDP agreement , In fact, the protocols in the two scenarios are the same ; second , new UDP The reflexes are different from before , There may have been a reflectance ratio in the past , After sending tens of bytes of packets, hundreds of bytes of attack packets are generated , Form flow amplification . But these kinds of UDP methods , It's not a big bag , Its packet length is similar to that of normal game protocol , Including the attack source that we see hackers use , Such as home router or some other intelligent devices . From the server side , these IP It's normal users IP, Because it's from the home network . So from the perspective of the guard end , These levels make it difficult for us to defend against such situations , Or it's going to be a bigger challenge to the defense system . Because attackers also like to confuse the real with the fake , So it's going to get worse , Once you find out that he's breaking through that , They're going to use this stuff a lot .

Q5: In the disclosure of security intelligence , To what extent would disclosure be appropriate ？

Luo Xijun ： This problem is more from the perspective of defenders , Or to disclose from a positive perspective . Because we can't disclose how we do bad things , It's about telling you , We know how to do bad things , Or in the process of protection , It can also solve security problems at the same time .

But as a defensive end , It doesn't mean that we can abuse the disclosure of security information , It's about being in control of the situation . For the whole market , Including both ends of attack and defense , We all have Threat Intelligence , It also reflects our professional ability .

Q6: TCP The threat of reflex attacks continues to grow , What's the reason ？

Luo Xijun ：TCP Reflection is a new technique that has only appeared in the last two or three years , In the first year or two, it was more open-source on the Internet Web service , For example, relying on general purpose CDN To reflect . Since last year , The office situation has changed , General purpose CDN It can't meet the need of attack any more , So I started to use DNS equipment , Including other smart devices to initiate .

This heel UDP There will be some differences in reflection ,UDP Reflection wants reflection to initiate traffic amplification , To achieve the effect of four or two thousand catties ; and TCP The reflection has no obvious magnification , There's no way to amplify the flow , But you can make the package size or PPS To a great extent . Package size or PPS Parameters are a big challenge to the performance experience of network devices or protective devices , This is also TCP The threat of reflex attack is more than UDP The reason reflection is more difficult to solve , What it does is PPS The packet throughput will be relatively large , It's a big test for the performance of our equipment .

in addition ,TCP Reflection uses a normal communication protocol stack , It's still a fake , It's hard to differentiate between normal protocol stacks , It's normal users ？ And an attacker ？ This utilization point will bring higher challenges to our protection system and protection strategy . So illegal hackers are more willing to use the way from simple to difficult , Take your time UDP Reflection , Until then TCP Reflection , Step by step , Try to break through step by step .

Q7：《 white paper 》 Show , Application layer attacks are becoming massive , What does this point refer to ？

Luo Xijun ： Last year, we captured an example that was close to 300 ten thousand QPS Attack on encrypted traffic , The largest scale captured before was tens of thousands , This is actually a growth of dozens of times .

We found that the threat of encrypted traffic suddenly increased , The threat of application layer is also increasing , And then add . There's another interesting point , These attack sources use the second dial IP, Second dial agent IP, It means in the field of business security , cheat 、 Cattle 、 The scene of collecting wool may use seconds more IP, Because it keeps switching , We have to bypass our risk control strategy . We found that the second dial IP It has been applied in the field of traditional security countermeasures , If we still use IP To intercept and defend from the point of view of , There will be many disadvantages , Because the second dial IP It's a constant change , If we fight it the old way again , You'll find that we're always behind the attackers , Always analyze after being beaten by others .

Q8：XOR.DDoS Botnets are the most active , What are the reasons ？

Luo Xijun ：XOR Botnet is a classic botnet , already 10 For many years , This botnet infects Linux The server , Infect by password explosion or weak password , After infection, plant a Trojan horse on it , It's going to grow a DDoS Attack tools , This attack tool will be similar to “ chicken ” Join the bad guys' botnets , To launch a foreign attack . This attack technique is the most classic one , In fact, that is SYNFLOOD, And it's SYN Big bag attack , Generally, the scale of a single network should be 100~300G about , In the second half of last year due to IoT The development of this device , So the activity will also increase in the second half of the year .

last year 12 month , We found botnets spreading through poison in an open source software supply chain , This is relatively large 、 New trends . In the past, hackers may still be used to get rid of new information “ chicken ”, control “ chicken ”, And then upload the Trojan 、 back door , Upload tool , attack , But at that time, we found that the security monitoring of the software park , It forges a piece of software in a software supply chain , Tie a back door inside , Once you build your own business system with open source software , Found out that the software was poisoned , That machine may also be planted with such a Trojan horse .

Q9： Compared with previous years , tencent 2020 Annual resistance D What are the most important directions for technology improvement ？ What's the effect ？

Luo Xijun ： First of all , Authors efficiency . We continue to develop high-performance protection equipment and solutions , To reduce the cost of investment in equipment . For example, in the past, it was more likely to be a single device , Can defend 10G Of traffic , By last year, we had begun to reach 100 G even to the extent that 400G Section of , In this way, the input cost will be reduced , Operation and maintenance 、 Operational efficiency will also increase .

second , Join in and improve efficiency . By working with partners to build security capabilities , Open security capabilities to customers . Then there is the continuous upgrade at the algorithm level , Our form of confrontation in the past may still be more traditional , Like writing rules 、 Write features , But in the context of complicated attack tactics or strong confrontation , This method will become more and more limited , So we are constantly using big data or machine learning algorithms , To enhance the configurability or flexibility of policies , Hope to be more intelligent 、 Automatically handle high-level attacks .

As for the effect , That is, the cost of paying for a product may fall , Or at the same cost , You can buy more advanced defense capabilities , This is a , Because cost is a key consideration for customers ; second , Because security attack and defense is always a process of continuous confrontation , And the upgrading of technology lies in the improvement of confrontation efficiency , For example, there was an attack technique in the past , It may take three or five days to solve the problem for the customer , Now it's only a day or even half a day , Or just one configuration , We can solve this problem , Efficiency will be greatly improved , Customers' time to be affected will also be greatly reduced .

Q10： What kind of incremental capabilities and solutions does Tencent security provide to customers ？

Luo Xijun ： We had a plan called “AI protective ”, When it wasn't there before , When an attack technique changes , The usual pattern is , When a customer's business is damaged , The security team adjusts and updates the strategy through analysis , That could take hours or more ; And in the launch “AI Intelligent protection ” After this advanced function , Customers just need to click on the page , It can automatically analyze the change of attack tactics , Automatically identify and adjust policies , Maybe just a few minutes , A lot of business can be restored , This is a point .

Q11： When the attack means of black and gray products are constantly upgrading , As a defender , How we're going to run ahead ？

Luo Xijun ： First of all , Our threat intelligence capability requires us to do a lot of things in advance , Don't be passive , It is Take the initiative to control the wheel , So we will have a timely capture of the threat changes in the industry 、 perception ;

second , For Tencent's own business , Especially its own game business , In fact, there will be such a big threat , Including Tencent cloud customers . such as a The customer found some problems , Be able to sense in time , We can put this problem into the overall consideration ; If b Customers also find problems , You don't have to deal with it passively , That's what we're doing Threat intelligence capabilities ;

Another point is Back end technology capabilities . When a new problem arises , Technology iteration can quickly solve problems and adapt to this situation . In fact, all our background systems are self-developed , One of the benefits of self-development is good controllability , The efficiency of customization will also be very high . When there's a need or an attack , Can quickly achieve iterative upgrade , It also depends on the technical model in the background , After all, to support such a fast iteration effect .

Q12： To resist DDoS What is the most needed core competence in this field , What are our core strengths ？

Luo Xijun ： First of all , We have years of technology precipitation and accumulation . Because safety has a professional threshold , Maybe there's no shortcut ; Another level , Tencent has many businesses , It's massive 、 New Internet business model , It also includes the actual combat conclusions of Tencent cloud users , This refers to the actual combat , After a hand to hand fight with the bad guys , To know how to fight , Here are some of our technical advantages ;

second , Resource advantages . because DDoS To a large extent, it depends on the matching of resources , Like the back-end resource reserve of Tencent security products , For example, bandwidth resource reserve ,BGP Network reserves, etc , Our various business forms can provide users with high protection bandwidth and capability , This is resource advantage ;

Third , Security service . For example, when a customer has a problem that needs to be solved , We can support and respond quickly , Help customers deal with problems in a positive way .

Q13： What industries are likely to become in the future DDoS High incidence areas of attack , If these industries need to deploy ahead of time 、 If you respond in advance , What should we do to establish our own industry system ？

Luo Xijun ： In theory , All Internet services will exist DDoS The possibility of attack , Because it doesn't look like a vulnerability or intrusion , Vulnerabilities and intrusions mean that they have weaknesses , Bad people have a chance to come in ; but DDoS Is said , As long as it's online, it's possible , Because network accessibility will have this problem , and DDoS The most obvious attack effect is , It's about cutting users off the Internet , At the same time, it has a negative impact on the business .

future , In some emerging industries , There could be this kind of security risk . For example, online education , The Internet is down , Students can't take online classes ; Or online medicine , It's really connected to life , So there are big risks . For customers or business owners in this industry , Our suggestion is ：

First of all , The enterprise itself should have the ability to resist attacks . It's like ordinary people have a cold , Maybe it's not all about taking medicine , But the body must first have a certain degree of resistance . Empathy , Business must first be in the process 、 Code development 、 Architecture and other aspects have a certain anti attack ability ;

second , At the architecture level , When there's a real problem , Want to have Fast scheduling or hot standby switching , This is the problem of disaster recovery , It can also be called the ability to quickly restore business ;

Third , Professional people do professional things , When it really affects the survival and development of the enterprise , We still need to find a professional security service team to solve this problem .