Alibaba Security
Host Security
PREVIEW16m 52s
14m 14s

The course is part of this learning path

Start course

In this course, we'll take a look at Alibaba Cloud security products to ensure host, network, apps, and data security.

Learning Objectives

  • Get a good understanding of Alibaba Cloud's Security portfolio
  • Learn how to defend your workloads from a variety of threats at the host, application, and network layer
  • Learn how to encrypt your data at rest and in transit
  • Learn how to potentially deal with unwanted user-generated content

Intended Audience

This course is intended for anyone looking to use the products in Alibaba's security portfolio in order to sure their Alibaba Cloud workloads, as well as anyone studying for the ACP Cloud Computing certification exam.


To get the most out of this course, you should have a basic understanding of the Alibaba Cloud platform.


Moving on to network security. So we'll start by looking at VPCs and specifically security groups which are a function inside of VPCs. So the security group is essentially a set of firewall rules, security group rules either allow or deny traffic. Each ECS instance that you create has to be a member of at least one security group. This is essentially the firewall tool that's built into Alibaba Cloud VPCs. A VPC again, is a private network group that your ECS instances live inside of. 

Security group rules include the following information, there's the action or rule type which is either going to be to accept or block the traffic. There's the port range that the rule applies to, this could be a single port like 80 or 443 or it could be a port range. The protocol, which will be one of ICNP, TCP or UDP. And then the authorization objects, this is the security group ID or IP address range that we want to accept or block. It's really that simple, it's essentially just the same thing as the firewall that you might install yourself on a host like Ubuntu Linux.

Let's now move on to DDoS, we'll move on to the Anti-DDoS service. In order to discuss anti-DDoS, we first need to talk about what a DDoS attack is. So what is it? Well, DDoS stands for Distributed Denial of Service. This is a type of attack where an attacker takes control of thousands or potentially even tens or hundreds of thousands of computers which are often called zombies and then uses those computers to simultaneously access a particular site, that site becomes the victim.

If the attacker controls enough computers to generate a very large amount of network traffic, this can have any effect of causing the victim website to no longer be able to respond to legitimate requests. That's why it's called denial of service. People who are trying to use the service ordinarily normally are denied, hence denial of service. This is one of the hardest types of attacks to block because as long as the attacker has enough resources at his or her disposal, the attacker can essentially take down any target site simply by saturating all of the network links, saturating all of the compute and network capacity at the victim. And there's very little you can do to effectively block a DDoS attack because the attack is coming from tens or even hundreds of thousands of distinct computers with separate IPs distributed around different parts of the world.

So there's no simple rule that you can use to block a DDoS attack. There are actually many different types of DDoS attacks, so let's just look at one. This is a simple attack called a SYN Flood. So if you're familiar with the TCP protocol, a SYN is the packet that you send when you're first trying to establish a connection with a server. So you're doing your TCP three-way handshake to establish a connection between you and another computer. The first thing you do is send a SYN. What the server will do is open a port for you, make a note of your IP address and then send back a SYN plus an acknowledgement. When you receive that, you have to send back a final acknowledgement to open the TCP connection.

So how does the attack work? In a SYN Flood DDoS attack, what you do is you get hundreds or thousands of machines to all send a SYN to a server. So they all send a SYN and then they listen for the SYN plus ACK. But here's the interesting part, you don't respond with the final ACK. So what happens is the server is sitting there waiting for acknowledgements that's never come. And of course, there are a limited number of port numbers available for the server to use, so eventually the server runs out of port numbers and is no longer able to respond to legitimate requests. That's how a SYN Flood overwhelms the target server. So we have a tool called anti-DDoS, Alibaba Cloud Anti-DDoS that is designed to filter out attack traffic. And it works on multiple different types of DDoS attacks

 We just learned about SYN Floods but there's many other types at both layer 4, the network layer and also a few at layer 7, so HTTP and HTTPS as well as various types of web socket attacks. So Anti-DDoS is a set of techniques, best practices, tools, and systems for resisting or mitigating the impact of distributed denial of service attacks on internet facing applications by protecting the target and any relay networks. Anti-DDoS is a layer 4 and layer 7 service and is not designed to defend against all types of attacks. However, we'll work on most of the popular types of DDoS attack that are in use today.

So you can see at the bottom of the slide, we have an architecture diagram here. Your DNS service can be with any vendor, it doesn't have to be with Alibaba Cloud. What you do is you modify the DNS record for your site, so that it resolves to the CNAME of our anti-DDoS scrubbing center. The anti-DDoS scripting center then takes all incoming traffic, matches it against some heuristics that we've built to detect attacks and discards any traffic that matches the patterns that anti-DDoS knows to look for. It then passes the remaining cleaning traffic, excuse me, the remaining cleaned traffic back to your backend server load balancer or ECS instance. And of course, the backend origin site doesn't actually need to be on Alibaba Cloud. It could be on AWS or Google or another provider, it just needs to have a public network interface.

There are three versions of anti-DDoS on Alibaba Cloud. There is anti-DDoS Basic, Pro and Premium. That's how we split things up. So I'll explain what the differences are between those three but all of them serve more or less the same function which is to protect you from DDoS attacks without having to make major changes to the architecture of your application. So let's look at the difference between Anti-DDoS Premium and Anti-DDoS Pro. These are the professional or enterprise editions of our anti-DDoS service. I won't discuss Anti-DDoS Basic, that's built into our cloud platform for free. If you're using RDS database service or ECS or OSS, you already have Anti-DDoS Basic built in for free.

Let's discuss just the enterprise editions here, Premium and Pro. The difference has to do with whether or not, your site is deployed in mainland China. If your site is deployed in mainland China, then you'll be using Anti-DDoS Pro. This uses BGP routing tricks to do very, very cool things like allow you to switch the Anti-DDoS protection on and off on demand, so you can turn it on only when an attack is detected. It supports multiple domains and ports and a permanent static public IP. So that's a very cool feature, your backend service, your origin server can have a permanent static public IP and still be defended by Anti-DDoS Pro. It doesn't need to hide behind a scrubbing center CNAME.

Further, the mitigation capacity for Anti-DDoS Pro is 10 terabits per second. Anti-DDoS Premium relies instead on a filtering method that's based on anycast. This is what we use outside of China. So this means outside of China mainland, so that would include Macau and Hong Kong. So outside of the Chinese mainland we use Anti-DDoS Premium, which has a five terabit per second mitigation capacity and lacks a few of the cooler BGP related features of Pro. But it's still a powerful first of all, anti-DDoS tool.

So how does the anti-DDoS service work? Well, again, there's some slight differences between Pro and Premium but in general, in order to mitigate a DDoS attack, you need to be able to absorb and process all of the attack traffic. So you need the capability to absorb all of the attack traffic, analyze it, determine which traffic constitutes part of the attack and which does not and then pass the cleaned traffic, the non-attack traffic back to the origin behind your anti-DDoS service.

So the way Alibaba Cloud Anti-DDoS Premium does this is we have 12 scrubbing centers worldwide which provide 10 terabytes per second of DDoS scrubbing capacity. We use anycast so that we can support essentially unlimited protection. And we have an AI mode that's part of Anti-DDoS Premium that's designed to also protect you against some types of layer 7 attack such as an HTTP Flood. So let's look at a real case here. So this is an attack that takes advantage of a let's call it a design flaw in Memcached.

So Memcached is a service on Linux that is used as a in-memory cache, typically in front of a database in order to speed up database access. So it's an in-memory key value store and it's not designed to be exposed to the internet. So what is the design flaw that I'm talking about? Well, the design flaw is that it doesn't have an authentication mechanism. It's possible to configure Memcache so that it will respond to any request at all. And it's listening on port 11211 and it accepts UDP traffic. So if you leave this port exposed to the internet and you're running Memcache, what an attacker can do is come along and make a request of your Memcache server with a spoofed IP address. When they do this, the response from your Memcache server will go not back to the attacker but to the attacker's target which is the spoofed IP. What's worse than that is it's possible to amplify an attack with Memcache because Memcache can return multiple responses for a single request. So an attacker can easily multiply their traffic several fold by taking advantage of these features of Memcache and that's what this attacker in 2018 did. That's how they were able to get their attack traffic up so high. Of course, by today's standards, 758 gigabits per second is still large but we do routinely now see attacks over one terabit per second.

So an important part of having a reliable anti-DDoS service is analyzing incoming traffic and looking for patterns that might indicate an attack. This is really the most difficult part of providing DDoS protection and this is something that Alibaba does well. We analyze more than 10 terabytes worth of logs in end to end network traffic per day. So we're dealing with a huge volume here and we take all that information and we use it to develop attacker IP blacklists, attack signatures, malicious programs, fingerprints, and a list of vulnerabilities and then we feed that information into all of our security products including Anti-DDoS. So part of the benefit of using a anti-DDoS product from Alibaba Cloud is that we are basing the intelligence of that tool on actual attack traffic that we're analyzing every day, so the tool is constantly improving.

Let's now turn our attention to cloud firewall. So cloud firewall is essentially an on cloud firewall service. So one of the issues you have when you migrate to the cloud is you need to worry about how to manage traffic between public and internal networks. How do you segregate those and how do you defend against malicious traffic. And then there's from internal to the public network, how do you detect and block abnormal outbound connections? That's an issue. So it's not just about defending yourself from attackers on the internet. It's also detecting unusual outbound connections from your own intranet. You also need to worry about connections between internal networks.

How do you control traffic between different private network segments within your own cloud environment? How do you detect access relationships between applications and locate hosts that are doing something unusual? And then between VPCs, so how do you isolate applications on Alibaba Cloud by region and zone? These are all challenges you face when you migrate to the cloud and we have a firewall tool that's designed to help you with that which is Cloud Firewall. You don't have to deploy any hardware, you don't have to buy an image from the marketplace, you don't have to modify routing configurations, you just click enable and then Cloud Firewall is ready to go.

So one of the big challenges you face as a security person or a systems administrator is gaining insights into network security trends. And this is an area where a Cloud Firewall can help you. There's an outbound connection detail overview in the cloud firewall console that gives you information about inbound and outbound connections. There's a cloud network overall report which tells you about rates of traffic with a breakdown by protocol and application type. There's also a full audit report which you can use to fulfill compliance requirements. And there's a network flow visualization that indicates new or unusual connections between different hosts in your Alibaba Cloud environment as well as built-in intrusion detection that can give you information about potential attacks.

So Cloud Firewall features break down into roughly four categories, there's prevention, defense, backtracking, and detection. So prevention is all about access control, controlling traffic flow to and from the internet and isolation between VPCs within your cloud environment. We also provide security policies based on domain names, applications, and regions which you can apply for access control. Then under defense there's intrusion prevention. So there's a built-in IPS, there's a built-in Intrusion Prevention System and then there's virtual patching as well. So there's the ability to apply a temporary patch in the event that there's a new vulnerability out that there's no official patch for yet.

Backtracking, so there's traffic logs, security logs, and also firewall operation logs available. So you can see what actions have been taken both to configure Cloud Firewall itself and what traffic has flowed to and from various network interfaces that are controlled by Cloud Firewall and then under detection, you can easily manage all of your public IP addresses within a given Alibaba Cloud region. Monitor all your outbound connections and analyze and visualize traffic from the internet and traffic between different security groups. In the next section, we'll take a look at application and data security.

About the Author
Learning Paths

Alibaba Cloud, founded in 2009, is a global leader in cloud computing and artificial intelligence, providing services to thousands of enterprises, developers, and governments organizations in more than 200 countries and regions. Committed to the success of its customers, Alibaba Cloud provides reliable and secure cloud computing and data processing capabilities as a part of its online solutions.