2010. 5. Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS...
-
Upload
hortense-bond -
Category
Documents
-
view
224 -
download
0
Transcript of 2010. 5. Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS...
2010. 5.
Jeong, Hyun-Cheol
2
Contents
DDoS Attacks in Korea DDoS Attacks in Korea11
Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in Korea22
Conclusion Conclusion33
3
• DDoS Attack Trends
• 7.7 DDoS Attack and
Lessons
DDoS Attacks in Korea DDoS Attacks in Korea11
4
Status of the IP Network in Korea
1st domain : 1.8 M - .kr : 1M - GTLD(.com, .net, …) : 0.8 M
Host : 8.7 M
Mobile Phone User : 46 M
Internet User : 36 M
High-speed Internet User : 15.7 M
IP TV User : 1 M
VoIP User : 7.1 M
IDC : 60
ISP : 154
Population of S.Korea: 49 M
1 M : 1,000,000
DDoS Attacks in Korea
Status & Trends DDoS Attack In Korea
First DDoS attack is occurred in 2006
Increase of target systems
- Small Websites Major Websites(Bank, Portal, …)
Increase of a ransom DDoS
Increase of Application-layer DDos attack (Above 50%)
- HTTP Get flooding, Slowloris, SIP flooding
- Network Bandwidth Consumption System Resource Consumption
Hard to detect and block App.-layer DDos attack
- Because Each Zombie PC generates small traffic, Hard to detect
by legacy security solution.
RisRiskk
Bank, Shopping, Game Site
Portal, Public Site
2006 2007 2008 2009
Chat, Gamble Site
Web Server targeted DDoS
DNS, Private IPtargeted DDoS
On-line Game Site
5
7.7 DDoS Attack (1/3)
Attack Time : Every 6 p.m. July 6. 2009 ~ July 9. 2009
Attack Targets : 22 Korean sites, 14 U.S sites
- Korean sites : the Blue House, National Assembly, major portal & banking sites, …
Estimated Damage : 3,300 ~ 4,950 million dollars (Src. : Hyundai Research Institute)
1st Day Attack
2nd Day Attack 3rd Day Attack
After DDoSDestruct Hard
disk
6
6 PM, July 76 PM, July 7
6 PM, July 86 PM, July 8 6 PM, July 96 PM, July 9
0 AM, July 100 AM, July 10
7
7.7 DDoS Attack (2/3) - Characteristics
Very Large scale and Organized Attack
- Zombies were infected from the famous Korean Web hard site
which had been exploited
- Lots of Zombie PCs (about 115,000) were used in attack
- Lots of Servers(about 400) were used in control the zombies
Premeditated and Intelligent Attack
- Attack started 6 PM that was coded in Malware(Logic Bomb)
- Zombie’s Hard disk were destructed after DDoS erase the attack evidence
We could not know who the attacker were and why their intention were
8
7.7 DDoS Attack (3/3) - Lessons
More attention to Endpoint Security
In Korea, DDoS Defense was primarily focused on
network security such as blocking C&C Channel, filtering traffics.
- But, 7.7 DDoS Attack was rarely used C&C Server
We should more attention to endpoint security!
- But, It is not easy.Expand Information Sharing
Information Sharing of Government and Private Sector
- Cooperation between Government, ISP, Anti-Virus vendor, and DDoS vitim
- Sharing of Malicious Code Samples, Attack Logs, and the result of analysis
Cross-border Information Sharing
- US was also attacked 2 days before 7.7 DDoS (2009/7/5)
- Zombies and Servers used in 7.7 DDoS were distributed in about 60 contries
C&C
Zombie PC Zombie PC Zombie PC
End point DefenseEx) Detection/Removal of Malicious
code from zombie PCs
Network DefenseEx) Blocking of C&C Channel,
Filtering the DDoS Traffic
Need of Control Tower
Control Tower is need for the effective national response to large-scale attack8
9
• Operation of DNS Sinkhole
Server
• Improvement of Legal
Framework
• Development of
Technologies
Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in Korea22
10
Before DNS sinkhole operation After DNS sinkhole operation
Bot infected PCs
Bot C&C
③ Connect C&C④ Sending command
Bot infected PCs
Bot C&C
KISASinkhole server
ISP DNS server ISP DNS server
② Return C&C IP address
① C&C DNS query
② Return Sinkhole IP address
① C&C DNS query
③ Connect SinkholeBot infected PCs out of control
from botmaster
Bot infected PC’s information
Operation of DNS Sinkhole Server
Target Sites
⑤ DDoS Attack
Request Improvement of SW Vulnerabilities to SW developer
Order to remove malware from web sites
Limit Zombie PCs internet connection in an emergency
Able to Access to zombie PCs for Incident Analysis
11 http://www.koreatimes.co.kr/www/news/biz/2010/04/123_51509.html
Zombie PC Prevention Law (Draft)
Prevent spread of Zombie PCs
- strengthen the online security requirements for both individuals and companies
Rapid response by information sharing
Objective
Major Contents
Excessive and may compromise liberty in Internet usage
Issues
12
Objective
Detection and Blocking the botnet abused in various cyber crime
Identifying Bot C&C and zombie PC lists and monitoring their behaviors
명령 /제어 서버 Distributed botnet
(B) Botnet Monitoring / Response System
(A) Network Behavior
based Botnet Detection System
Botnet Monitoring system
Detection event
Botnet informationISP
Network based Botnet Detection & Response Technology
Web Firewall
DNS Server
Router
Security Appliance
Response Policy/Rule(DNS Sinkhole, BGP Feeding, Web firewall rule,,,Botnet traffic
Collecting Sensor
Centralized botnet
(1) Spybot based real time botnet monitoring system
User PC
(3) Host based Botnet Traffic Filtering Agent
Host based Bot Detection & Response Technology
Spam trap system
Web server
Real-time botnet behavior data
(2) Bot Collecting, Detecting,
Analyzing Server
R&D - Botnet Detection and Response
13
Objective
Automation of the Life Cycle of an Incident Response
- Collection Malware Analysis Blocking traffic Removal Malware from Zombies
Malware spreading Prevention and malware management system
Malware Infected PC Auto-Analysis system
Conficker
Palevo
Malware AutoCollection System
System vulnerability, Web, Spam, IM
Malware Collection
Malware AutoAnalysis System
Malware Information
Executable
binary code
.DLL
.EXE
.xls
Flash
.doc.ppt
.EXE
[Malware]
[Malware propagation method]
Malware Distribution siteDetection System
[Malware distributing site]
Detecting malicious site
• Malware DNA & response Signature Management • Zombie PC Internet Access Blocking• Malware distribution site Management• Malware classification & history Management
[Prevent malware spread/response]
[Malware Infected PC]
R&D – Automatic Malware Collection/Analysis/Response
R&D - DDoS Attack Detection and Defense
40 Gbit DDoS Attack Defense System and Secure NIC Development
Advanced Application-Layer DDoS Attack Defense System targeted on Web Services
Internet
Web Servers
Normal Users
40G DDoS Attack Defense System
Application-Layer DDoS Attack Defense System
Server Farm
Server Farm
Secure NIC Development Attackers
- 40G DDoS Attack Defense System- Behavior based Attack Detection- Malicious Code Detection and Management- Infected System Management
- Complex, Advanced DDoS Attack Defense Technology target on Web Service- Challenge/Behavior based Defense - Policy based Management
- Server/Host based 2G Security Offload Engine Technology- Malicious Code Detection
Objective
14
R&D - Cooperative Security Control
Automatic Information Exchange & Cooperative Response Framework
Cyber-Attack Forecast & Alarm Technology
Auto-Response & Traceback against Cyber-Attack
Information exchange Entiry
Information exchange Entiry
Antivirus software companies
National CSIRT/CERT/KISC Internet Service Provider
Internet Service Provider
Information exchange Entiry
Information exchange Entiry
Information exchange & cooperative response
Information exchange & cooperative response
Single packet attaackSingle packet attaack
DDos attackDDos attack
Objective
15
16
Conclusion
Information Sharing is the most important factor for success of effective
prevention and response the incident.
- For this purpose, We are improving the legal system and developing technology
in Korea
Information Sharing
Cyber attacks occur in cross-border
It is need that the consensus for
- monitoring, keeping logs, information sharing, and cooperation against
cross-border incidents
International Cooperation
It is the most difficult thing, but it is the most important for end-point security.
We should improve not only the legal framework but also awareness.
Awareness
Thank you