CSRF (Cross-site Request Forgery), also known as One Click Attack or Session Riding, usually abbreviated as CSRF or XSRF, is a form of malicious website use.
The preceding figure shows a simple model of CSRF attacks. A user visits the malicious Website B; malicious Website B returns an HTTP message to the user, asking the user to visit Website A. The access request is executed if the user has set Website A as a trusted website as if the user sent the request on his/her own.
Based on the preceding principle of CSRF, malicious websites may make a user send an HTTP request to Redis. Because Redis supports text protocols, and does not break off the connection in the case of illegal protocols during protocol resolution. The attacker can then add a Redis command after the normal HTTP request to run the command on Redis. If the user and Redis do not use a password for verification, the Redis command is executed normally and encrypt data to extort money, exactly like the earlier MongoDB ransom incident.
The author of Redis fixed the problem in Redis version 3.2.7, implementing special processing for the
Host: keywords, logging the events, and disconnecting to avoid execution of subsequent illegal requests to Redis.
Earlier, Redis exposed a security vulnerability that hackers may get the root permission of Redis services under certain conditions. The causes of these security vulnerabilities can be primarily attributed to users’ lack of understanding of Redis’s security mechanisms, lack of Redis O&M experience, and insufficient use of the security protection mechanisms offered by Redis. ApsaraDB for Redis provides securer Redis services. We recommend ApsaraDB for Redis for your on-cloud Redis services.
By default, ApsaraDB for Redis only provides trusted intranet access. You are not allowed to access ApsaraDB for Redis by the Internet.
ApsaraDB for Redis’s physical network and user network are physically isolated. Users’ virtual machines are not allowed to directly access the backend physical machine network.
If you are an Alibaba Cloud user using the VPC network, only the services in the same VPC are inter-accessible.
ApsaraDB for Redis supports whitelist settings. You can set a whitelist for allowed IP addresses in the console.
ApsaraDB for Redis enforces password authentication for instances in the classic network. You can set a complex password to prevent it from being cracked.
Each backend instance of ApsaraDB for Redis is isolated in the ACL and accessible directory. Each instance is only allowed to access the path of its own so that inter-instance interference can be avoided.
ApsaraDB for Redis forbids some dangerous system management commands such as
save. If you want to modify this parameter, you must pass the secondary authentication in the console. This also avoids direct operations on the backend configuration files and management commands.
ApsaraDB for Redis has a complete security monitoring system for physical machines. It regularly scans and updates the security monitoring policies to discover security risks as soon as possible.
Native Redis 3.0 cluster version does not support password verification. ApsaraDB for Redis cluster version supports password verification, which improves security.