Aquaboutic | Focus Security Research | Vulnerability Exploit | POC

Home

building the next generation of secure internet

Posted by melchionda at 2020-03-13
all

I was very happy to learn that I was selected as TR35 of MIT the other day. I think this is a proof that China's security technology is internationally recognized. But this honor belongs not only to me, but also to all the people in my team who have made efforts and contributions to this, as well as those customers who dare to try the latest technology with us, because the new technology is often raw at the beginning of its birth, but without the tribulations in the incubation process, we will never see the day of beautiful bloom. I would also like to thank Dr. Wang Jian, Dr. Gong Fengmin, Mr. Hua Xiansheng and Professor dawn song for being my TR35 recommender. Thank you for your recognition of my work.

Since I took part in the work, I have been dedicated to pushing Chinese technology to the world. I think China has the best security technology and the best people, but it lacks the soil and stage for their growth. So I also hope that this MIT's recognition of me will become an opportunity to encourage the excellent talents and technical achievements of China's security industry to go to the world. For a long time, we have enjoyed a lot of dividends of open source technology, but the contribution of Chinese technology to the development of the world Internet is very small. I think there are language barriers, cultural barriers, but no ability barriers. Now is the time for us to overcome these obstacles and solve the problems encountered in the development of the global Internet. Only when China's local talents grow up can China become more powerful.

Looking back on my working life of more than ten years, I have engaged in and studied a lot of technical work, but I think only the research of "elastic security network" is the most unique. "Elastic security network" is not an application of the existing technology, it is a real invention of a technology that has not been before, a new method is proposed, and a new perspective is adopted to view the existing world. Therefore, it can jump out of the existing technical framework and bring some breakthrough surprises. These surprises, often even the creator can not think clearly at the beginning. Just like the blockchain technology abstracted from bitcoin, the first product we built "game shield" was used to defend against massive traffic DDoS attacks, and finally the "elastic security network" technology abstracted out, let us see the possibility of building the next generation Internet.

In short, the elastic security network is to advance the DDoS Defense to the edge of the network. However, the real thing to do in the future is to rebuild a clean and secure Internet through end-to-end connection and risk control technology.

A few days ago, a reporter from MIT Technology Review gave me an interview, and I completely elaborated on the concept of elastic security network. I put the recording of this interview here, share it with all the people who are interested in the technology, and attach the edited text (but still strongly recommend listening to the original recording). In the future, I hope more people will participate in the construction of "elastic security network".

Why elastic security network

The flow of Internet is like the water flowing in the pipeline, but with the development of Internet, too many things have been mixed in the flow, and it is no longer pure and healthy. For example, these traffic contains many attack requests, many malicious crawler requests and some fraudulent requests.

In an ideal situation, we hope that future traffic will be clean and healthy, and we hope that all network attacks will be brought to the edge of the whole network. That is to say, when entering this network, the traffic itself is clean. This is the concept of clear traffic.

In order to realize this idea, we have encountered many difficulties. We are thinking about what kind of architecture we need to implement it. At this time, we have some customers trying to use the idea of fast switching to fight against DDoS attacks. It inspired me. Finally, I put the two things together and came up with the idea of making an elastic security network.

What is elastic security network

What elastic security network really wants to do is to replace the core heart of the whole Internet and DNS, so as to make the network become flexible, able to quickly schedule resources and form a new network architecture.

In fact, DNS was born in the early days of the Internet. It is a product of the Internet 1.0 era and an open protocol. Up to now, there is no independent operator to operate the entire Internet DNS server. It's scattered among different operators. There may be hundreds of operators around the world, all providing their own DNS services. The communication between operators is through standard DNS protocol for data exchange.

This is also the reason why the DNS protocol has not been able to improve for so many years. It is too fragmented.

At present, DNS has three significant problems. First, the time of DNS full resolution is too long, which is a very big pain point in the use of the whole DNS.

For example, for a large website, all traffic of users should be directed to a new address. After the DNS resolution is modified, it may take two to three days for the traffic to be 100% switched to the new address, and there will be no residual traffic on the old address.

Why does it take two to three days? The reason is that there are many operators' DNS recursive resolution servers, which need to update their own data. And some operators have their own provincial operators, or even lower level recursive DNS resolution. It is difficult to manage data in a unified way due to fragmentation, which is a real problem today.

The second problem is that today's DNS server software has encountered a bottleneck in the number of resolutions. There is no way to resolve a name to thousands, even tens of thousands, or even hundreds of thousands of different addresses in the future. A name may resolve to a dozen or dozens of addresses at most, and it can't be expanded any more. This bottleneck limits some of our ability development.

Third, some security mechanisms, such as risk control, that could have been implemented based on DNS, have not been established. In fact, it is easy to understand that in the era of Internet 1.0, there is no such powerful data and computing power as today.

Today, we are going to solve these problems. Under the framework of the whole elastic security network, what form of the next generation Internet should be conceived? The answer is to reconstruct the heart of the Internet through reliable and fast scheduling technology.

First of all, it has the ability of fast parsing, which must be very real-time and clean. Secondly, it is the scheduling capability supported by itself. To reach the level of tens of thousands, the scale is particularly important, that is, a name can be resolved to tens of thousands of addresses, or even hundreds of thousands of addresses.

We try to defend against DDoS attacks. In the past, when defending against DDoS attacks, we must reserve a single point of large bandwidth. Because IP can't be changed (in China's network environment, anycast is not considered temporarily due to policy reasons). Therefore, under the DNS architecture, it is to resist the traffic attack encountered by this IP. For example, if the traffic of 300g is over, there must be a bandwidth of 300g here to be able to bear it. If there is only 100g bandwidth, the whole computer room will be blocked, which may even affect the network stability of operators.

This is the idea of attack defense confrontation in the past, that is, as much as you attack, I must have as much bandwidth reserve here. This compares resources to pure bandwidth reserve.

Our current idea is that if you attack the IP address, I will take it off immediately. Don't use the IP address, then enable a new address, and tell all customers that you will visit the new address.

Of course, the attacker will follow at this time, but there is a cost for the attacker to follow. Generally, it takes an attacker more than 10 minutes to follow a new address.

In this 10 minutes, through data analysis, we can analyze who the attacker is, separate the good from the bad, stop the bad traffic, and keep the traffic clean at the same time. This is the core idea of the whole elastic security network.

How to realize elastic security network

The implementation of elastic security network is a defense ability that needs to reserve large bandwidth at a single point in the past by quickly completing the scheduling of tens of thousands of addresses.

That is, you don't need to reserve large bandwidth at a single point. You need more addresses and stronger data analysis capabilities.

You know, it's very expensive to store large bandwidth at a single point. Using this method, the cost of DDoS Defense can be reduced by two to three orders of magnitude, because there is no need to reserve large bandwidth at a single point.

After finishing this, we find that in fact, the most important thing in this matter is not to have an additional way to fight against DDoS attacks, but to change DNS itself, which is the essence. So, we use a new technology to solve an old problem.

Elastic security network will give birth to the biggest artificial intelligence

Along with the idea of elastic security network, we hope to manage the resources of the whole Internet through risk control.

In the future, elastic security network will redefine the entrance of Internet. By establishing a "footprint database" for each visitor, the probability of whether he is a good or bad person is analyzed. Once it is judged that the access request may be risky, it can immediately make him unable to access the resource.

Therefore, the biggest artificial intelligence in the future should be born in the elastic security network, because the whole Internet resources are managed, and based on the behavior precipitation of each visitor, to judge the risk.

It's the same as if you want to enter this closed network, and every visitor has to pass the security check first. This resource can only be accessed through security check. Moreover, all the historical behaviors of visitors will be accumulated to reserve for future risk judgment. However, DNS, the heart of the Internet today, has lost the possibility of analyzing all access data after it has been unified because of its openness and fragmentation.

In a self-contained closed-loop system, an infrastructure provider operates the analytic service of the whole network heart. Then, based on this resolution service, it can intelligently analyze all the visitors in the whole network, and finally realize all the visitors' requests in this network, which are under risk control, so as to build a new Internet.

The future of resilient security networks

Today, some game customers on Alibaba cloud use the technology of elastic security network to schedule all their game resources and control the risk of all players.

The elastic security network is self closed. In other words, these games using elastic security network have disappeared from the Internet, which is supported by DNS today.

A player, through DNS, can't access all the resources in the elastic security network. What we need to do in the future is to expand the network continuously until the schedulable resources in the network cover the whole Internet resources.

At present, the main opportunities are IOT and mobile Internet, because there is no need for DNS. In the past, DNS was needed because there was a browser with an address bar in it. This thing could access resources only by entering a friendly address.

In the era of mobile Internet, today's mobile phone does not need a browser, but directly opens an app. What is accessed by this app? It doesn't need DNS to resolve.

This is a very important reason for us to see that today's technology is likely to go on.

In the era of IOT, there is no need to have a browser to access the services and resources you need to access.

So this is the most important reason that I see that this network may upgrade the whole Internet in the future.

Alibaba will open its elastic security network technology capabilities

In the future, alibaba will open the technology of elastic security network.

Like DNS, elastic security network itself does not involve any access resources, it just knows that you are here today. It's just like that when a person goes to a certain country today, he needs to enter and exit the customs, which is one reason.

In fact, in many key areas, resilient security networks are very valuable.

For example, the private network or intranet of various governments or large enterprises and institutions. If it is based on DNS, it is a weakness exposed in the whole network. Because DNS is an open service. Once the single point of DNS is paralyzed, the whole network may not work, so this is a very big risk.

Therefore, elastic security network technology is not designed for one customer, it is designed for the whole Internet.