This article is published by netease Cloud.

Security is an eternal topic, in the continuous cloud business, attack more and more complex at present, what kind of severe situation of Internet security? How does netease Cloud respond to these situations?

Shen Mingxing, chief security architect of netease Cloud

On April 13, netease Cloud shield-CNCERT closed door Security Salon was held in Hangzhou. Shen Mingxing, chief security architect of netease Cloud, shared his understanding and thinking at the salon.


Security risks are escalating


It seems to be in order to show the ability of netease security in the security industry, at the beginning of the sharing Shen Mingxing first introduced the business of netease company and netease security team. He said that netease’s business covers e-commerce, education, mutual entertainment, social networking, news, email, hardware, finance and other fields, and these businesses are built on the “four-in-one” security defense system of netease’s security team.


In this system, netease security found a lot of problems. For example, game apps face escalating security risks, with plug-ins, source code being violently modified, and data and user information problems. “The average number of popular apps is 27 copycat apps,” he said. ‘This has severely damaged the life cycle of the game, the balance of the game, the number of users and the interests of the company,’ Ms. Shen said.


In DDos attacks, Shen Mingxing said that most of the attacks in 2014 were 50Gbps, and the attack methods were mainly IDC forged source IP attacks. In 2015, 100G+ attacks became normal, and the attack tactics changed from forged source IP address to reflex attack. In 2016, 300 GB + attacks became normal. The rise of IoT and mobile devices led to endless attacks based on real devices. However, in 2017, attacks of 500G+ have become normal, and attacks based on private protocols and real sources are on the rise. In 2018, 800G-1T traffic attacks are expected to become the norm.

Under DDoS attacks, qipai games suffered the most. “The impact was that 90% of game businesses were completely offline within 2-3 days of the attack, and after 2-3 days of the attack, the number of players would drop from tens of thousands to hundreds. “Game companies can lose millions of yuan a day after DDoS attacks.” Shen Xingxing shared.


“Three parties and one guest” black and gray forces run through the whole life cycle of product development


The existence of the current black ash industry chain, they have a clear division of labor, strong technology, rich resources… Its capabilities are beyond imagination, which makes security a lot of questions right now.


What’s even more worrying is that the power of grey and black extends throughout the product lifecycle:


1. In the start-up stage of the product, we are faced with:


  • Plug – in, crack, tamper, repack
  • AD modification/elimination, malicious code
  • To be tuned and speeded up
  • Memory is dumped and resources are leaked


2. In the growth stage of the product, we are faced with:


  • Batch register game accounts
  • Account bump – Brute force cracking
  • Game channels cheat
  • Game campaign marketing cheating


3. Product appreciation period, facing:


  • Involvement in politics, violence and terrorism
  • Advertising, pornography
  • Contraband, water, brush screen


4. When the product is stable, it is faced with:


  • Network intrusion
  • DDoS attack


How do you solve these problems?


How does netease build its own security defense system?


As mentioned at the beginning of the article, netease has built a “four-in-one” security defense system. What is its architecture?

The chief security architect of netease Cloud said that it is composed of four parts:


The first part is the content anti-spam technology that has been upgraded for three generations: the first generation of content anti-spam technology is based on keywords, black-and-white lists, filters and classifiers; The second generation of anti-spam technology is based on content feature recognition (skin color, texture), Bayesian filtering, similarity matching and rule system; The third generation is upgraded to big data analysis (user behavior, user classification), human-machine recognition, artificial intelligence and machine learning (semantic recognition, image recognition). After continuous upgrading of anti-garbage technology, covering text, pictures, voice, video and other fields, in the application of advertising filtering, intelligent pornography, violent terrorism identification, political detection and other scenarios, the anti-garbage effect exceeds all customers’ expectations.

The second part is the multiple water technology business security defense system: the form of business security including protected information authentication, registration, login anti-cheat protection and marketing, in the form of business is behind many technical linkage: human identification, risk list, IP portraits, equipment model, behavior model, business model, correlation analysis and rule system, etc.

The third part is the security protection of the whole life cycle of App, including channel monitoring, App security detection and evaluation, Android application reinforcement, iOS application reinforcement, App communication security components, H5 page protection, security keyboard and other security capabilities.

The fourth part is the network security capability of multi-level and three-dimensional protection. By monitoring and analyzing all outbound traffic and relying on netease’s big data analysis technology, it can automatically detect attacks and perform fine classification, identification and cleaning.

Its protection technology advantages include:

  1. DDoS threat intelligence sharing, including IP library, attack characteristics, attack tools
  2. Outbound Attack defense: All local IDC rooms jointly block the attacked IP addresses
  3. Interworking with carriers
  4. Intelligent learning of business traffic model, using data mining, machine learning and deep learning and other means, using algorithm model to solve the business traffic model in different scenarios
  5. Deep-level DDoS attack detection Detects multi-layer and deep-level attacks on data packets, such as abnormal traffic analysis, application-layer analysis, host identification, protocol analysis, fingerprint detection, connection tracing, port protection, and traffic control
  6. Based on the multidimensional reputation database (IP, device, fingerprint) cleaning strategy, netease big data, established for user IP, user device, user fingerprint

In addition, netease’s network security also provides NWAF, vulnerability scanning, SSL, penetration testing, risk assessment, intrusion detection, security training, planning consulting and emergency response.



Meanwhile, netease Cloud also builds situational awareness of content, service, network and mobile security to facilitate users to quantify and understand the current security situation related to them.


Shen Mingxing finally pointed out that netease’s security capabilities have been cloud-based and exported through the business of Yi Shield. As long as access to Yi Shield, any company can achieve the level of security protection of large companies.


For more security technology dry goods, trend interpretation, character thinking and precipitation, please pay attention to: yidun_163yun




Understand netease Cloud:

The official website of netease Cloud is www.163yun.com/

New user package: www.163yun.com/gift

Netease Cloud community: sq.163yun.com/