joongsup choi kisc/krcert
DESCRIPTION
Joongsup CHOI KISC/KrCERT. AVAR 2004, 25-26, Nov. 2004. Network Security in Korea. Contents. I. Positive Aspects of Internet. II. Negative Aspects of Internet. III. Big BANG, Triggering Point. IV. KISC’s Role. V. Hand-on Experience. I. Positive Aspects of Internet. - PowerPoint PPT PresentationTRANSCRIPT
Joongsup CHOI
KISC/KrCERT
Network Security in Korea
AVAR 2004, 25-26, Nov. 2004
-2-
ContentsContents
I. Positive Aspects of Internet
II. Negative Aspects of Internet
III. Big BANG, Triggering Point
IV. KISC’s Role
V. Hand-on Experience
-3-
I. Positive Aspects of Internet I. Positive Aspects of Internet
Max avg. length 5.0 Average avg. length 4.0 Current avg. length 5.0 Max max. length 33.0 Average max. length 29.0 Current max. length 30.0 Src. : http://www.cymru.com/BGP/asnpalen01.html
AS Path Length Graph `Yearly' Graph (1 Day Average)
Src. : www.caida.org
Network & ConnectivityNetwork & Connectivity
-4-
I. Positive Aspects of Internet I. Positive Aspects of Internet
Client/Server TypeClient/Server Type
Server
Client Client Client
Pure Distributed TypePure Distributed Type
Peer
Peer
Peer Peer
PeerPeer
Peer
Src. : www.boardwatch.com
Application Change Application Change
-5-
I. Positive Aspects of Internet I. Positive Aspects of Internet
Items China Japan Korea WorldInternet Users
87,000K 77,300K 30,000K 785,710K
% in Global
10.1% 9.8% 3.7%Others:
76.4%’00-’04 CAGR
253.3% 37.1% 53.5% 118.9%
No. of IPv4 47,584K112,587
K31,504K 4,300M
Broadband Users (K)
17,700 13,150 11,500 N/A
Pop. (K) 1,327,976 127,944 47,136 6,453,311
Src.: www.internetstats.com & etc.
Volume Size of InternetVolume Size of Internet
-6-
I. Positive Aspects of Internet I. Positive Aspects of Internet
Internet
70+ ISPs
86,000+ Leased Line 11+ Million High Speed Internet
Korea Internet InfrastructureKorea Internet Infrastructure
-7-
I. Negative Aspects of Internet I. Negative Aspects of Internet
Yr. Worm Virus RAT1991 16 1,000 15
1992 17 2,600 20
1993 17 4,000 21
1994 17 5,900 21
1995 18 8,000 23
1996 22 15,000 27
1997 24 16,500 104
1998 127 24,000 443
1999 165 30,000 1,679
2000 271 49,000 4,754
2001 1,102 60,000 9,742
2002 1,978 ? 13,085
2003 2,488 ? 14,432
Mal. Code (Worm, Virus, Trojan/RAT)
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
50,000
55,000
60,000
19911992
19931994
19951996
19971998
19992000
20012002
2003
WormVirusRAT
RAT:RAT:[Remote Administration Tool]is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the Victim's machine.
Src. : www.pestpetrol.com
Worldwide Malicious Codes
-8-
II. Negative Aspects of Internet II. Negative Aspects of Internet
HDSL-RT
CPE
PeeringKRNET
….….ISP
VideoRP
DSLAM
WLL
ONU
CATVHead End
Router L/L
2W
4W
ISP NetworkGateway
ISP NISP5
ISP4ISP3ISP2
ISP1
GigaPOP
GigaPOP
GigaPOP
International InternetCM
Foreign ISP
DNS
DBMS
Web
FTP
Home
Splitter
Home
Cable Modem
D/UModem
Server Farm
Dial-Up
Web Mail
BINDBIND
B-O/FB-O/F
SendMailSendMail
Apache/Apache/IISIIS
SQLSQLExplorerExplorer
IOS/JuNOSIOS/JuNOS
MS :MS :Patch !!Patch !!
HijackingHijacking,,
Conf. Conf. ErrorError
BGP4
Vulnerability Points among InternetVulnerability Points among Internet
-9-
II. Negative Aspects of Internet II. Negative Aspects of Internet
Windows95/9833.5%
WindowsNT/XP/2000
62.6%
etc.0.1%
Solaris0.2%
Linux3.7%
Windows95/9841.3%
WindowsNT/XP/2000
44.8%
etc.0.8%
Solaris1.8%Linux
11.3%
2002 2003
Windows Incidents are increasing now and malicious traffic are overwhelming ….
Src. : www.krcert.org
Incidents depending on OS Incidents depending on OS
-10-
III. Big Bang - Triggering PointIII. Big Bang - Triggering Point
Some Parts of Slammer Source Code
PSEUDO_RAND_SEND: mov eax, [ebp-4Ch] lea ecx, [eax+eax*2] lea edx, [eax+ecx*4] shl edx, 4 add edx, eax shl edx, 8 sub edx, eax lea eax, [eax+edx*4] add eax, ebx mov [ebp-4Ch], eax
[Worldwide Phenomena] Too fast to Response : WarholToo many impacted ServerToo wide-spread to co-ordinateToo many re-tries to connect → Most Effective WORM !
Src: www.internetpulse.net
Slammer Worm (’03.1/25)Slammer Worm (’03.1/25)
-11-
III. Big Bang - Triggering PointIII. Big Bang - Triggering Point
SecureInternet
Gov. :Law Enforcement & Sec. Awareness PRAgency : On-Line Surveillance System
Home: Up-to-date PatchCorp.: Security Awareness & CERT
SW Vender : More Secure SW and Application
ISP : Network Security Investment & Enhancement
Lessons from Slammer WormLessons from Slammer Worm
-12-
: 2003 – 2004Security Inspection for the SME ( Free of Charge )Incidents Handling Manual for PC, ISP, IDC, Corp.Monthly Information Security Campaign
: 2003 – 2004Security Inspection for the SME ( Free of Charge )Incidents Handling Manual for PC, ISP, IDC, Corp.Monthly Information Security Campaign
: 2003. 12. 1724h X 7d Operation5 min. Information Analysis (Traffic, port, incidents)Korea Internet Security Coordination (KrCERT/CC)
: 2003. 12. 1724h X 7d Operation5 min. Information Analysis (Traffic, port, incidents)Korea Internet Security Coordination (KrCERT/CC)
: 2004. 1 .29, Rev. 2004.7.30Security Inspection (ISP, IDC, Main Portal..)Information Sharing Obligation with KISCEmergency Response to Block Malicious Port #
: 2004. 1 .29, Rev. 2004.7.30Security Inspection (ISP, IDC, Main Portal..)Information Sharing Obligation with KISCEmergency Response to Block Malicious Port #
III. Big Bang - Triggering PointIII. Big Bang - Triggering Point
Security Awareness
Launching KISC
Law Enforcement
What Korean Government Have Done What Korean Government Have Done
-13-
IV. KISC’s RoleIV. KISC’s Role
Incident Reports& Case Study
Technology &Information
Private SectorPrivate SectorISPs,AV, MSSPISPs,AV, MSSP
InformationSharing
Info. Sharing System Co-WorkSPPO
NPA
NIS
Public SectorPublic SectorGov. Agencies Gov. Agencies
Public Sectors :*NIS : National Information Service*SPPO : Supreme Public Prosecutors’ Office*NPA : National Police Agency
Private Sectors :*ISP : KT, DACOM, Hanaro .. MSSP : Coconut.. AV : Ahnlab, Hauri
National Cyber-Security FrameworkNational Cyber-Security Framework
-14-
IV. KISC’s RoleIV. KISC’s Role
Remote Agent
Notice Mail
IDS/Firewall
User
S/W,H/W
AV/Vaccine
ISP/ESM
Vul.
Worm
Detc.
Foreig
n
Info
.
Not
ifica
tion
Web.
SMS
Messenger
FAX
TRS
KISC
Analysis
Propagation
Detect
Recovery
Private SectorsPrivate SectorsPrivate SectorsPrivate Sectors
Home UsersHome UsersHome UsersHome Users
Press & TV/RadioPress & TV/RadioPress & TV/RadioPress & TV/Radio
ISP Hot LinersISP Hot Liners
PropagationPropagationDetectDetect AnalysisAnalysis
Major ISPs &
MSSP
Foreign Ptn
KISCKISC
KISC’s Task and Job Flow KISC’s Task and Job Flow
-15-
IV. KISC’s RoleIV. KISC’s Role
APEC,GlobalAPEC,Global
HoneyNetHoneyNet
Hacker/IntruderHome UsersCororate.
Security ASP
Domestic Agency
Domestic Agency
Foreign Organization
Foreign OrganizationSec. Info. Exchange
Net/ Vul
Windows Vul.
VC
Patch Info.
Virus/Attack Sample
IDC/SO/IDC
Foreign Agency
Global co-work
Ctr. For Ststem Vul. Ctr. For Ststem Vul.
BackUpBackUp
I S Ps
Nat’l Cyber Help DeskNat’l Cyber Help Desk
Bank/Stock ISAC
Bank/Stock ISAC
Telecom ISACTelecom ISAC
US, Jp.Cn CERTUS, Jp.Cn CERT
www.krcert.orgwww.krcert.org
Unix/Linux VulOSS
Maker
VC 2
VC 1
Net/ Vul
KISC’s Today & Tomorrow KISC’s Today & Tomorrow
-16-
V. Hand-on ExperienceV. Hand-on Experience
25
26
0
24
35
22
0
5
10
15
20
25
30
35
Jan Feb Mar Apr May Jun July Aug
Reported by : foreign CERTs or victim organizations, Response with ISPsMajor Victim : US-Bank, City Bank, Bank of America, Brazilian Bank ITAU etc
Reported by : foreign CERTs or victim organizations, Response with ISPsMajor Victim : US-Bank, City Bank, Bank of America, Brazilian Bank ITAU etc
No. of Incidents reported to KISC
Phishing Scam Phishing Scam
-17-
V. Hand-on ExperienceV. Hand-on Experience
Procedure : Reported by Users or ISP(Mail Service Providers)Countermeasure : On-site Inspection and Criminal Inspection with Prosecutors
Procedure : Reported by Users or ISP(Mail Service Providers)Countermeasure : On-site Inspection and Criminal Inspection with Prosecutors
과부하
②
Spammer
Compromised PCs
Abettor
Over LoadDNS Server
① Zombie Server
③Lists Update,④Mail Server DNS Query
⑤SPAMMing
⑥SPAM Users
Mail Server
Malicious Code Instal
Anti-SPAM ActivitiesAnti-SPAM Activities
-18-
V. Hand-on ExperienceV. Hand-on Experience
Security Awareness Activity 1). Security Education for : Security Divide Sector ( SME, PC Plaza, Users etc. ) 2). Publishing Cyber Security Manuals (Manual + CDs ) Individual User, Corporate Network Operator ISP, IDC, PC-Plaza Operator
Encouraging to establish CERT Operation of CONCERT ( CONsortium of CERT : 228 in Korea )
On-Site Security Inspection for the SME ( ~ 2004 ) Target : 1,000 SME with Security Divide Sectors Inspection and Training ( Free of Charge )
Security Awareness Activity 1). Security Education for : Security Divide Sector ( SME, PC Plaza, Users etc. ) 2). Publishing Cyber Security Manuals (Manual + CDs ) Individual User, Corporate Network Operator ISP, IDC, PC-Plaza Operator
Encouraging to establish CERT Operation of CONCERT ( CONsortium of CERT : 228 in Korea )
On-Site Security Inspection for the SME ( ~ 2004 ) Target : 1,000 SME with Security Divide Sectors Inspection and Training ( Free of Charge )
Sec. Awareness and Support Sec. Awareness and Support
-19-
V. Q&AV. Q&A
Thanks !
For any further informationPlease contact:Choi, Joongsup : [email protected]