notes on the spot of ctrip safety salon

Posted by trammel at 2020-02-27

First of all, thank Ctrip for providing such an opportunity and thoughtful reception. The following content is mainly to sort out the on-site notes. The content belongs to Ctrip and the speaker. If there is any problem with the content, you can contact me to delete it.

1、 Internet enterprise security Ali niujilei neeao

Four aspects:

Introduction: the security construction has been implemented, but the security attack still occurs, and the short board of the barrel cannot be found at the same time

1. System and network security

Ensure 100% accuracy of assets to find the shortest board

Only by finding the border can we implement the border security measures

The accuracy of newly added assets cannot be guaranteed when the number of assets of acquired companies and cooperative companies rises

Boundary security: ACL usage, IP whitelist usage, port usage

Problem: time and personnel changes will affect the clarity and maintenance of ACL usage, IP whitelist usage and port usage


ACL life cycle management: pre online registration, post online monitoring, post change monitoring, post use monitoring

Server security life cycle management: baseline configuration before going online, security assessment and scanning after going online, and timely processing after going offline (many people are saying, but few are really doing -- neeao)

Ideal results:

Every server, every service and port, every application version, every ACL rule and every IP white list should be clear and managed effectively

2. Web Security


Identify the types of security problems that each security tool is good at solving, and ensure that 100% of the areas are good at

If the coverage of multiple safety tools coincides, it shall be implemented in stages to ensure no omission

Vulnerability risk management, clear management rules, such as repair cycle requirements

3. Office network security

Office network and production network isolation

Office network realizes sso, unified access and dual factor authentication

All backstage Intranet

Only trusted devices are allowed to connect to bastion machines in office network and production network

Remove the intranet, use VPN and mobile app to solve the remote office and access the equipment through trusted authentication

4. Business security

The most common three categories: Bank collision, malicious coupon collection and information disclosure


Put the scattered landing entrance into a landing entrance

Business confrontation, through increasing cost, human-computer identification

Information disclosure: desensitization of sensitive information

5. Questioning

1) For safe ecology

It means that Alibaba's security measures, strategies and requirements are partially implemented in the cooperative company

Strengthen the system security of cooperative companies / customers through jushita

Promote the installation of Alibaba's security client to improve the client security of the partner company / client

Audit and access control the external system accessed through security scanning and detection

2) For zombie ACLS

Manual cleaning. During Ctrip replenishment, the existing ACL can be compared through dynamic traffic monitoring, and visual management can be carried out

2、 Cloud computing security


1) Bat and ucloud do not use openstack to avoid being restricted by the development of openstack community

2) Many operation and maintenance personnel are used to store operation and maintenance information in impression notes, which leads to joint attack after the account of impression notes is stolen. It is recommended to turn on two factor authentication in the web version or avoid this habit.

In the cloud computing environment, there is also a virtual network layer above the network layer. The correspondence between IP and MAC is based on the static table maintained manually instead of ARP, so there is no ARP attack

1. WiFi security

WiFi DDoS attack, get rid of the legitimate hotspot, and camouflage the hotspot

Complete physical isolation between guest network and office network

2. Security domain

The most effective division of security domain is based on IP address. Reasonable IP planning is conducive to the division of security domain

3. Operation and maintenance safety management

Posts are divided into: machine room, system operation and application operation and maintenance, with layer by layer authority restrictions to avoid user information leakage

Log in the bastion machine, double factor authentication, at the same time, bash operation records will be collected, compared with the bastion machine records, and check for abnormalities.

Control the use of high-risk commands (such as Rm-rf) through fortress

(the user of crontab is root, and the directory is root, so deleting a class is dangerous.)

4, anti DDoS

The common anti DDoS device is based on sFlow class statistical sampling technology, which has the disadvantages of high delay (about 30s) and individual error amplification.

The product developed by ucloud can realize low latency (1s level), automatic scheduling and attack response, which is more efficient than the response and processing of traditional IDC

Increasing broadband speed will improve the upload bandwidth of users and indirectly increase the attack scale of DDoS

For machines that launch DDoS attacks, isolate or stop the service directly

5. SSH violence guessing

Although SSH is encrypted, such attacks can be found to some extent by analyzing packet characteristics, such as the number of RST packets per unit time

3、 Security platform construction business security Wanda Lin Peng

1, point of view

Basic security supports business security development and business security development feeds back basic security

Security (B2C) is facing small white users, not professionals

Considering problems, not only from the perspective of safety, but also from the perspective of Xiaobai, the company and leaders

The security personnel must have the worst plan, and do not have the idea that it is impossible and will not happen

2. User behavior analysis


Sign up, sign in, change password, reset password, PC / mobile device, habits

Behavior modeling:

Normal user behavior: Registration - > login - > recharge - > Investment - > collection - > withdrawal

Abnormal user behavior: Registration - > login - > Edit Data - > Edit Data - > Edit Data

Log analysis:

Using log analysis, the average url depth (the number of times a single slash occurs) is 3, the access dispersion (the number of pages / visits), 200 response ratio, etc

3. Questioning

There are P2P companies returning 20 cash activities after 50 times, which results in tens of thousands of losses and high server load after the activities are online. How to solve it?

For the wool Party (swiping the bill, coupons and cash back), we will reduce the return, turn cash into various coupons and restrict the use of qualifications and methods

Ctrip added: Ctrip, vipshop, Taobao, etc. have established a blacklist Sharing Alliance to blacklist malicious IP, user ID, email address, mobile phone number, etc. The degree of participation will be determined according to the volume of the companies that need to participate

4、 Security construction and account system: only pinhui xiaopang

1. Security team development

2013, 2 safety management and 1 Safety Technology

2015, 3 categories, 5 departments, 35 people in total

8 persons for monitoring and response -- SoC platform, emergency response, early warning, SRC, etc

Internal product safety 8 people - safety test, black and white box, safety research

6 persons for external product security - operation and maintenance security, network security, equipment software, service, etc

8 persons for safety management and training - process rules and regulations, newspaper, bidding, safety training, etc

5 persons for business security - abnormal business tracking, risk control products and operation, etc

2. Safe work

1) Content changes:

2013, bug repair, network rectification, server security baseline, security domain division, system bug patch, management specification

In 2015, it covers security audit, security management, operation and maintenance security, network security, web security, APP security, product demand security, risk control strategy and operation, business security, security training, log monitoring, etc

2) Form change:

From fire fighting to control, it has entered or is about to enter the construction stage

3) Current weakness: safe operation

Security inspection, system security assessment, password strategy, vulnerability handling and emergency response, project online security approval

The password strategy must be strictly restricted -- the mailbox is attacked and leads to further intranet penetration, which is very harmful

Talent acquisition idea: from development, operation and maintenance, it has a certain technical basis, better than recruiting new people.

3, thinking

1) Security service layer (relevant security interface)

2) Security infrastructure

3) Safety monitoring, detection and Verification Automation

4) User credit value system

4. Against the wool party

1) Registration restrictions: picture verification code, SMS verification code, voice verification code

2) Registration data collection, modeling, marking for vest account (fingerprint, behavior identification, biometric, etc.)

3) User value system, starting from registration, establishes different user values through dimension data

4) Behavior point control, through dimension data to control the behavior of cattle, increase verification items to improve its cost

The wool party and scalpers, based on the drive of interests, have adopted defense in depth and stretched the front

1. Increase the difficulty of profit making

2. Properly combine the business and reduce the profitability (too much benefit can not be solved by technology)

5、 Mobile code security Ctrip Zheng Wei

Ctrip's own app reinforcement system: quark

Threats: public WiFi, information collection, TCP hijacking

1. Common threats

1) Remote control

2) Malicious fee

3) Application cracking plug-in

4) Sensitive information disclosure

5) Local process injection

6) Pirated fishing

7) Server Vulnerability

2. App reinforcement

There are many functions in Java layer library, unable to modify function name, easy to decompile

So layer, implemented by C / C + +, hard to decompile

3. Safety measures of enterprises

4. Apk protection ideas

1) The main protection of APK is to protect the Java part. It is difficult to analyze the so part.

2) For silly tools such as dex2jar, you should crash the tool.

3) The problem of one-time operation is the problem of one-time dump. It is recommended to use dynamic shell removal.

4) Adopt virtual machine technology when capable

All ppt Downloads

All ppt downloads: From = timeline & isappinstalled = 0

[original: Notes on the spot of Ctrip security salon by: Phoenix -- Security pulse editor teacher Yang collated and released]

Author: Ctrip safety emergency response center

This article is published by the author of security pulse column. Please note: