護航11.11，如何築牢安全防禦系統？

{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/af/af9f6637b50b09be60b00a42f3812d5e.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"京東就像一座人口來往繁忙的大型“城池”，每天都有大量人羣在“城池”內外穿梭流動，在11.11大促活動期間，更會人流量暴增，給“城池”安全運行帶來巨大考驗。如何幫助這座“城池”構建好安全防禦系統，使“城池”保證忙而有序、安全平穩，是保證持續繁榮發展的關鍵。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在2017年京東集團年會上"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"“技術、技術、技術”"},{"type":"text","text":"三個詞喊出後，京東智聯雲作爲京東的技術基石，在京東大促活動中承擔的責任越來越重，同時也積累了豐富的經驗。本篇文章將和大家分享京東智聯雲在護航11.11大促中，是如何築牢“城池”的安全防禦系統？"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"開頭提到了京東就像一座大型“城池”，當一座城池備戰防禦的時候，需要進行"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"城牆巡檢"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"城門加固"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"護城河構築"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"甬道加固"},{"type":"text","text":"等加固工作，來築牢“城池”的安全防禦系統，同時還需要進行實戰演習，檢驗安全防禦系統的有效性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/c7/c7bb85b1354ae5a60be03ee7bac2a467.webp","alt":null,"title":"▲圖1 築牢“城池”安全防禦系統步驟▲","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"一、“城牆巡檢”- 全面基線巡檢"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"全面基線巡檢，是爲了保證基本面沒有大的缺口，規避“木桶效應”，避免被黑客輕而易舉的長驅直入。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"全面基線巡檢的難點在於："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1）如何保障全面性；"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2）如何準確快速完成檢查。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"在全面性保障方面，"},{"type":"text","text":"京東智聯雲有統一的資產管理平臺，對實體、虛擬資產進行統一管理。那作爲雲租戶，如何來保障對資產的全面管理？雲原生管理控制檯天然具備統一的資產管理能力，所有購買資源都可以在上面進行統一管理。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"在巡檢的準確快速性方面，"},{"type":"text","text":"則主要通過分佈式漏洞掃描快速完成在暴露的攻擊面掃描，重點關注如：弱口令、遠程命令執行等可以被黑客One Step利用並且造成重大危害的漏洞。同時，通過主機安全對存在潛在風險的配置項進行檢查，消除因配置導致風險。通過漏洞掃描+主機安全的組合拳，保證系統在基本面上沒有大的缺口。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雲上租戶也可以直接在雲上使用網站威脅掃描、主機安全這套組合拳，來對業務基本面實施安全檢查。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"二、“城門加固”- 重點系統加固"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"重點系統加固，首先需要"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"鎖定重點系統"},{"type":"text","text":"，重點系統通常是指在業務核心鏈路上出現問題可能產生阻塞，進而影響整個業務的系統。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"重點系統在日常工作中往往已經在安全方面進行了重點關注，在大促備戰期間主要關注："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1）重點系統在大促過程中擴容的資源是否保持與原來一樣的標準；"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2）已知風險是否已經完成修復，未完成修復的風險規避方案如何實施。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"在系統變更方面，"},{"type":"text","text":"京東智聯雲有統一的部署平臺，對系統的新增部署有統一記錄，部署變更記錄，準確定位到新增部署點，檢查安全措施是否符合要求，保證安全措施的一致性。對已知風險未修復的點，則通過安全防護產品或者安全訪問控制策略進行風險規避，完成系統加固。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對重點系統加固的同時，京東智聯雲還會組織實戰演練，進行"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"“紅藍攻防對抗”"},{"type":"text","text":"，模擬真實黑客攻擊檢驗系統加固的有效性，發現隱藏的薄弱環節，並反饋改進方案，進一步提升系統安全性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雲上租戶也可以通過"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"雲上WAF"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"主機安全"},{"type":"text","text":"等安全防護產品的使用來加固重點業務系統，同時也可以使用安全攻防服務，來進行真實的“紅藍攻防對抗”，模擬黑客攻擊，檢驗系統隱藏較深的薄弱點。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"三、“護城河構築”- 超大流量DDos攻擊防護方案"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DDoS全稱Distributed Denial-of-Service，其中Denial-of-Service意爲"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"拒絕服務，它的目的就是使服務不能訪問。"},{"type":"text","text":"Distributed是分佈式，指的是這種攻擊不是來自一個源頭，有可能來源於成千上萬臺設備。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着IoT行業發展，物聯網設備增多，在線時間長，漏洞更新週期長，成爲攻擊者漏洞利用的溫牀，物聯網設備逐漸成爲DDoS攻擊的主力目標。據統計，2019年國內DDoS攻擊次數相比2018年增加了"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"30.2%"},{"type":"text","text":" ，100Gbps以上大型攻擊次數逐步攀升，超大規模攻擊持續增長已成爲常態。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"京東智聯雲的高防業務經過多年大促歷練，可以有效抵禦"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"SYN Flood"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"UDP Flood"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"ICMP Flood"},{"type":"text","text":"等各種流量攻擊，並且可以通過自建的超大帶寬高防機房、近源清洗、流量壓制、DNS刷新等機制，提供TB級流量防禦能力，抵禦超大流量攻擊。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/bf/bfcf254b66b8f9254b533c462e8ef425.webp","alt":null,"title":"▲圖2 超大流量DDoS攻擊防護方案▲","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"超大流量DDoS攻擊防護的實戰演練，也會在大促前完成，主要通過京東智聯雲在全國各地自建的機房，模擬多次超大流量攻擊，驗證防護能力的有效性。多次演練和實戰都證明，京東智聯雲的超大流量DDoS攻擊防護方案完全可以抵禦TB級的流量攻擊。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"四、“加固甬道”- 生態商家安全能力輸出"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大促期間，京東周邊生態的商家也會面對大量攻擊威脅，京東智聯雲作爲京東集團對外技術賦能的出口，對外輸出了完整的覆蓋網絡層、應用層、業務層、數據層的整體解決方案，並實現了安全能力的積木化應用，生態商家可以根據自有需求選用對應能力進行安全加固。 "}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"五、“戰備指揮”- 安全運營中心"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"戰前準備工作完成後，就將進入到戰備指揮階段，京東智聯雲安全運營中心作爲京東智聯雲安全大腦，收集各個安全組件的海量數據，通過大數據關聯分析和機器學習技術，從全局視角提升對安全威脅的發現識別、理解分析、響應處置，最終提供給安全專家安全決策參考。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" "}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全運營中心的安全分析能力來源於三部分："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一是京東歷年積累的618和11.11實戰安全攻防數據；"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"二是京東智聯雲安全專家團隊分析提煉的上百種威脅模型；"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"三是基於京東智聯雲豐富的用戶業務場景獲取的海量訓練樣本和威脅情報。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與各安全產品單兵作戰的場景不同，安全運營中心會7X24小時不間斷地分析和關聯各安全產品的攻防數據，對異常行爲和攻擊特徵進行精準提取和還原。在提升各安全產品防護效果的同時，協助安全專家完成大規模攻擊下的安全研判和決策。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2c/2c6eba0ed9e18ff995edf782ae30cdff.webp","alt":null,"title":"▲圖3 安全指揮大屏▲","style":[{"key":"width","value":"100%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"六、總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"京東智聯雲作爲京東的技術基石，通過對"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"“城牆”"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"“城門”"},{"type":"text","text":"、"},{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"“護城河”"},{"type":"text","text":"的構築，已經爲京東這座人聲鼎沸、車水馬龍的“城池”建立好了完善的安全防禦系統，同時通過“甬道”爲生態商家進行了安全能力輸出，爲生態商家的安全能力提升提供了堅實的基礎。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"推薦閱讀："}]},{"type":"bulletedlist","content":[{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/s?__biz=MzU1OTgxMTg2Nw==&mid=2247495271&idx=1&sn=a3028b7f3e0ce75b020ec0d8c49f5717&scene=21#wechat_redirect","title":""},"content":[{"type":"text","text":"11.11 Tech Talk | 如何應對大促流量洪峯？揭祕京東技術人的備戰手冊"}]}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/s?__biz=MzU1OTgxMTg2Nw==&mid=2247492362&idx=1&sn=f4c5b781cf4e9af68238909d2ffe3a5b&chksm=fc133f7ecb64b6680aef36ab721fa6720daad3a557aa606d5fc271a7ac3274367a33c3326985&scene=21#wechat_redirect","title":""},"content":[{"type":"text","text":"Tech Talk | 2692億狂歡背後 只需這8步就可做好大促備戰"}]}]}]},{"type":"listitem","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://mp.weixin.qq.com/s?__biz=MzU1OTgxMTg2Nw==&mid=2247492551&idx=1&sn=35106e9efba225b00ad4b11fc762fb13&scene=21#wechat_redirect","title":""},"content":[{"type":"text","text":"大促活動如何抵禦大流量DDos攻擊？"}]}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"歡迎點擊"},{"type":"text","text":"【"},{"type":"link","attrs":{"href":"https://developer.jdcloud.com/column?mid=12&utm_source=PMM_itpub&utm_medium=NAutm_campaign=ReadMoreutm_term=NA","title":""},"content":[{"type":"text","text":"京東智聯雲"}]},{"type":"text","text":"】"},{"type":"text","marks":[{"type":"strong"}],"text":"，瞭解開發者社區"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"更多精彩技術實踐與獨家乾貨解析"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"歡迎關注【京東智聯雲開發者】公衆號"}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/77/77b9f9bae21f5a6033857fbf27a4b901.jpeg?x-oss-process=image/resize,p_80/auto-orient,1","alt":null,"title":"","style":[{"key":"width","value":"50%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}