WOT2016 Liu Ziqian: Yunti is the defender of Internet security

Dr. Liu Ziqian , CISSP , is a visiting scholar at the University of California and a member of the Communications Network Security Professional Committee of the China Communications Enterprise Association. He is currently the CEO and chief architect of China Telecom's Network Security Product Operation Center and the leader of the "Yundi" team. He was previously the head of ChinaNet network, the head of DNS system, and the director of the group SOC of China Telecom .

The following is the interview content:

51CTO: As a carrier-grade DDoS security protection product, how many GB of traffic attacks can Yunti withstand?

Liu Ziqian: Usually, the industry's understanding of " carrier-grade " is mainly in terms of reliability, and how many 9s are required to be called carrier-grade. Specifically for Yunti, the reason why it is called a carrier-grade product is not only to show our service continuity capabilities, but more because Yunti fully utilizes China Telecom's IP backbone network and is a product with carrier-grade network capabilities. Yunti currently has the world's largest bandwidth resources for absorbing attack traffic, and bandwidth resources are precisely the most needed resources for DDoS attack protection , and are also the largest protection cost item in protection services. Specifically, the attack protection capacity is related to Yunti's two protection methods: near-source traffic suppression that can distinguish the attack source, and near-source traffic cleaning. Among them, traffic suppression relies on RTBH , FlowSpec , QoS strategies, etc., using the capabilities of routers across the network to fight against attack traffic near the source at the edge of the backbone network. In theory, the attack traffic that this method can withstand is the bandwidth capacity of the backbone network. In commercial terms, it is called unlimited attack traffic processing (the bandwidth reserve of the telecommunications backbone network is nearly a thousand times the maximum attack peak known so far); and Yunti's near-source cleaning utilizes 26 cleaning centers distributedly deployed on the backbone network. Through BGP anycast , the attack traffic is pulled to multiple cleaning centers nearby for processing after entering the telecommunications network. The total cleaning capacity and the exclusive bandwidth of the cleaning center are both over 1000G , which is also the largest cleaning capacity in the industry.

51CTO: Why do many banking institutions, such as Bank of China, China Merchants Bank, and Agricultural Bank of China, use Yunti's services? What are the advantages or differences compared to similar products on the market?

Liu Ziqian: Since 2013 , the financial industry, especially state-owned banks and major commercial banks, has indeed faced more and more DDoS attack threats than in the past, such as Bitcoin extortion, financial competition and conflict, or pure revenge. Compared with other products, Yunti's advantages are mainly reflected in the nature and capabilities of the product itself. In terms of the nature of the product, Yunti comes from China Telecom , the largest and most basic telecommunications operator in China . Since almost all enterprises use telecom's dedicated lines to access the Internet, the traffic of enterprises is naturally carried on our network, so it is a very natural choice to superimpose telecom's security services on the dedicated lines. The enterprise nature of the product and its neutral position strictly regulated by the government make Yunti easier for customers to trust than the products of other service providers; of course, what really makes customers choose and are willing to continue to use Yunti's services is the excellent capabilities of the product itself. Anti- D services must solve three core problems, which are visible, preventable, and clear, corresponding to attack detection, attack protection, and analysis and tracing. These three problems constitute a closed loop of attack protection, and none of them can be missing. Yunti has its own unique advantages in each of them:

( 1 ) Attack detection uses NetFlow data covering the core routers of the entire telecom network to monitor attacks. Its advantage is that it can monitor the online real-time traffic of any Internet target address through China Telecom's large network. When a large-volume attack occurs, unlike traditional attack detection methods that can only calculate attack traffic and access volume on the network or host near the target end of the attack, and thus cannot avoid the problem of serious undercounting due to traffic congestion or packet loss, Yunti can comprehensively evaluate the actual attack traffic to the target IP on all links in the entire network, so it is the most accurate to measure the traffic scale of large-scale DDoS attacks. Large financial enterprises have a wide coverage of outlets and access points at home and abroad. Yunti's monitoring capabilities cover both domestic and foreign countries. By connecting with Yunti, it solves the monitoring of its national and even overseas nodes. In addition, financial customers especially need to know the scale of the risk threats they face, and make an assessment of possible losses and the basis for capacity procurement based on this. Therefore, complete attack measurement is also very necessary.

( 2 ) Attack protection includes two main functions: traffic suppression and traffic cleaning. Its outstanding advantage is the concept of " near-source protection " . Yunti monitors and analyzes the NetFlow data of routers in the entire telecommunications network, and can accurately identify the main area of ​​an attack, such as whether it is initiated from overseas or from other domestic operators. It can locate which operator, which city, or even the IDC room is the initiation point, thereby dispatching IP bearer network routers and distributed traffic cleaning devices to clear the attack traffic at the network node " closest to the attack source " . Therefore, its attack protection capability is theoretically infinite. Yunti's near-source traffic suppression utilizes many BGP core functions such as Anycast/ virtual next hop /FlowSpec to control the distribution of signaling throughout the network, and uses the IP network core router to discard, limit the speed and perform other QoS actions on attack traffic in a distinguishable direction; near-source cleaning uses real-time analysis of the attack source to start the distributed cleaning center deployed in the core node of the telecommunications IP network closest to the attack source, and then diverts the attack traffic to the cleaning center for malicious traffic disposal, and then sends normal business traffic to the target website through an isolated return channel; Yunti's cleaning node bandwidth is fixed and exclusive, and there is no situation where the cleaning bandwidth is shared with other business traffic during attack diversion, which greatly reduces the possibility of business damage due to bandwidth congestion caused by attack traffic. At the same time, Yunti uses BGP to achieve the full network-wide effect of attack traffic diversion in seconds, which is compared with the traditional method of modifying DNS The NS authoritative resolution and diversion method often takes more than ten minutes to take effect, and is subject to the TTL minimum value limit in the user's local recursion, and cannot guarantee the complete guidance of attack traffic within the network; the cleaning equipment mainly uses operator-level large-capacity and high-performance cleaning equipment, which has strong small packet processing and forwarding performance, and provides increasingly rich support for Web security. At the same time, it accepts users' in-depth customization of cleaning protection policy templates.

( 3 ) Analysis and tracing mainly solve the problem of accurately locating the source of the attack. We know that when attackers use zombie hosts to launch attacks, they often use false source IP addresses to confuse their identities and hide their ownership. Yunti conducts real-time NetFlow analysis on each monitored attack to find the physical circuit interface of the attack initiation point connected to the network device. Through this interface, the attack source can be accurately located without any speculation about the ownership of the IP source address. Since Yunti knows the location of all network resources of the backbone operator, and does not rely on IP address ownership mapping (commonly used by Internet companies) and whether there is an effective probe at the source end (the practice of security companies), Yunti's leading advantage in attack tracing and positioning capabilities is difficult to shake. Unlike ordinary enterprises, financial institutions will resort to law after being attacked. As long as there is a basis for filing a case, Yunti will cooperate with the judicial authorities to provide key attack traces and data. The credibility and accuracy of data are often the key to whether evidence can be provided. In terms of data quality and data nature, Yunti's advantages are also very obvious.

A few key words are summarized as follows: full network coverage (including overseas telecom networks); comprehensive and objective measurement of large attack traffic; near-source protection; traffic suppression that can distinguish the attack source, with no upper limit on protection capabilities; 1T cleaning capacity for the entire network; near-source attack traffic traction based on BGP anycast technology, with protection taking effect within seconds; accurate attack tracing covering the entire network; 0 user operations, 0 equipment deployment.

In addition to DDoS attack protection, Yunti is also gradually launching DNS security features. For example, we are currently carrying out rapid network-wide correction of DNS domain names and anti-phishing fraud website disposal for a small number of customers. These are of great help to financial customers in dealing with the two major pain points of domain name resolution errors or user interest damage caused by fraudulent websites, providing more comprehensive security protection for financial customers.

Financial customers also value the service experience, so in addition to the above features, Yunti also attaches great importance to the ease of use and convenience of services, and focuses on the visualization of security services. In addition to providing the " telephone reporting + work order follow-up " that traditional operators are best at , Yunti also provides a very rich self-service web portal and highly automatic API docking calls. Through the Web Portal , customers can not only see attack alarms, conduct self-protection, and analyze attack characteristics, but also use it to monitor their own telecommunications dedicated line circuit traffic, so it is almost a lightweight network management for customers; in addition, Yunti is the first product in China to provide DDoS and DNS protection service interfaces through WeChat clients. Customers' operation and maintenance or security personnel can grasp alarms, issue disposal actions, and analyze and display in real time through their own WeChat. This user experience is also unprecedentedly convenient and very popular with customers.

51CTO: Are there any relevant cases to introduce?

Liu Ziqian: As for the specific case, since it involves the privacy and wishes of our service customers , we will keep it secret for now .

The specific case can be eLong, because their CTO himself posted a Weibo, we just quote :

http://card.weibo.com/article/h5/s#cid=1001603847816140218611&vid=&extparam=&from=&wm=0

Yunti participated in the entire process of providing the highest-level Internet security for the 93rd Military Parade and the World Internet Conference in Wuzhen in 2015 , provided attack protection services to nearly 200 important sites, and defended the country's honor in many actual confrontations.

At present, Yunti has nearly a thousand major customers, covering enterprises from all industries including financial securities, government, Internet companies, energy manufacturing, etc., and has a very good reputation among users.

51CTO: Recently, Google launched Project Shield , which can protect small-scale websites from DDoS attacks. What do you think about this?

Liu Ziqian : I haven't tried this service myself, so I can't make any judgment. But from the analysis of Google 's official information, it feels like this service is similar to a CDN -based protection solution, which transfers the protected website to Google 's CDN . For example, the domain name of the protected website points to Google's CDN domain name through CNAME , and then hashes it to the global service IP . In fact, there are already many similar products and services at home and abroad. However, there are two key issues with this type of CDN solution. The first is whether the customer accepts that the access traffic of his website must pass through or end on a third-party CDN server. Customers who attach great importance to the privacy of their data may find it difficult to adopt this solution, such as bank customers; the second problem is that if the attack is chasing the source station IP , or the dynamic content of the website that is frequently attacked by CC must be returned to the source, then the CDN solution will still encounter many problems in dealing with such attacks.

51CTO: What suggestions do you have for problems such as domain name hijacking and phishing attacks that small and medium-sized enterprises often encounter?

Liu Ziqian: Domain hijacking refers specifically to the intentional modification of DNS resolution records. Later, it may be generalized to include some Http hijacking, etc. However, the causes of this problem are actually very complicated. From the perspective of business flow, there are many possible points of problems, such as software behavior on the terminal side, protocol behavior on the network side, and careless management of the user 's own authoritative domain name server. If we focus on the network side, this hijacking may occur in various organizations such as edge access service providers, secondary SPs , and WIFI service providers, because these organizations have the network location conditions to control the " hijacking point " . As I mentioned in the previous question, Yunti has launched new internal testing functions specifically for DNS domain name hijacking repair and anti-phishing in early 2016 to help corporate customers solve these problems as much as possible. We can ensure that the customer's domain name resolution is normal on the DNS service nodes officially authorized by China Telecom and in the core network that China Telecom can directly control. If there is a problem, we can monitor and notify the customer as soon as possible. After obtaining authorization, we will quickly repair the polluted domain name resolution record. And we are also willing to cooperate with Yunti customers to combat these network chaos and unfair competition.

For phishing websites, traditional countermeasures are difficult to handle and take a long time to process. There is no guarantee that access to phishing websites by various terminals and browsers in a large network can be quickly blocked. Yunti is currently testing related anti-phishing products, hoping to bring surprises to customers.

Before more effective products and services are available, companies can file complaints with relevant departments or social groups such as the Anti-Phishing Alliance and ask for their assistance. We also see more and more companies joining similar alliances to jointly purify the network environment, which is also a very positive move.

51CTO: Finally, what role do you think operators play in the Internet security ecosystem?

Liu Ziqian: Frankly speaking, I personally believe that large-scale basic operators are subject to the constraints of the traditional system and their own technological development process, and do not yet have the conditions for the so-called " building " of a complete Internet security ecosystem. However, based on the network itself, as the basic carrier of the Internet's " connection relationship " , we are indeed the most critical cornerstone and link. In terms of the nature of the enterprise, we shoulder huge social responsibilities and are the defenders of the security of the country and government's basic information facilities; in terms of the service audience, we serve hundreds of millions of netizens and millions of corporate customers, and we also have the responsibility to let everyone fully enjoy the convenience and security of the Internet. If you want to draw a hierarchical diagram, the operator should be in the middle layer, connecting to the regulatory requirements of the national government upwards, and serving netizens and various enterprises downwards. At the same level, there are also various equipment manufacturers and partners to provide capabilities. China Telecom is actively transforming and is using our high-quality resources and our long-term accumulated technology fields to create and operate Internet security products with unique capabilities. Taking this as an opportunity, we will maintain the mentality of a latecomer in the field of Internet security and continue to learn and grow, and become an excellent security service provider that is indispensable to customers .