2010. 5.

Jeong, Hyun-Cheol

2

Contents

DDoS Attacks in Korea DDoS Attacks in Korea11

Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in Korea22

Conclusion Conclusion33

3

• DDoS Attack Trends

• 7.7 DDoS Attack and

Lessons

DDoS Attacks in Korea DDoS Attacks in Korea11

4

Status of the IP Network in Korea

1st domain : 1.8 M - .kr : 1M - GTLD(.com, .net, …) : 0.8 M

Host : 8.7 M

Mobile Phone User : 46 M

Internet User : 36 M

High-speed Internet User : 15.7 M

IP TV User : 1 M

VoIP User : 7.1 M

IDC : 60

ISP : 154

Population of S.Korea: 49 M

1 M : 1,000,000

DDoS Attacks in Korea

Status & Trends DDoS Attack In Korea

First DDoS attack is occurred in 2006

Increase of target systems

- Small Websites Major Websites(Bank, Portal, …)

Increase of a ransom DDoS

Increase of Application-layer DDos attack (Above 50%)

- HTTP Get flooding, Slowloris, SIP flooding

- Network Bandwidth Consumption System Resource Consumption

Hard to detect and block App.-layer DDos attack

- Because Each Zombie PC generates small traffic, Hard to detect

by legacy security solution.

RisRiskk

Bank, Shopping, Game Site

Portal, Public Site

2006 2007 2008 2009

Chat, Gamble Site

Web Server targeted DDoS

DNS, Private IPtargeted DDoS

On-line Game Site

5

7.7 DDoS Attack (1/3)

Attack Time : Every 6 p.m. July 6. 2009 ~ July 9. 2009

Attack Targets : 22 Korean sites, 14 U.S sites

- Korean sites : the Blue House, National Assembly, major portal & banking sites, …

Estimated Damage : 3,300 ~ 4,950 million dollars (Src. : Hyundai Research Institute)

1st Day Attack

2nd Day Attack 3rd Day Attack

After DDoSDestruct Hard

disk

6

6 PM, July 76 PM, July 7

6 PM, July 86 PM, July 8 6 PM, July 96 PM, July 9

0 AM, July 100 AM, July 10

7

7.7 DDoS Attack (2/3) - Characteristics

Very Large scale and Organized Attack

- Zombies were infected from the famous Korean Web hard site

which had been exploited

- Lots of Zombie PCs (about 115,000) were used in attack

- Lots of Servers(about 400) were used in control the zombies

Premeditated and Intelligent Attack

- Attack started 6 PM that was coded in Malware(Logic Bomb)

- Zombie’s Hard disk were destructed after DDoS erase the attack evidence

We could not know who the attacker were and why their intention were

8

7.7 DDoS Attack (3/3) - Lessons

More attention to Endpoint Security

In Korea, DDoS Defense was primarily focused on

network security such as blocking C&C Channel, filtering traffics.

- But, 7.7 DDoS Attack was rarely used C&C Server

We should more attention to endpoint security!

- But, It is not easy.Expand Information Sharing

Information Sharing of Government and Private Sector

- Cooperation between Government, ISP, Anti-Virus vendor, and DDoS vitim

- Sharing of Malicious Code Samples, Attack Logs, and the result of analysis

Cross-border Information Sharing

- US was also attacked 2 days before 7.7 DDoS (2009/7/5)

- Zombies and Servers used in 7.7 DDoS were distributed in about 60 contries

C&C

Zombie PC Zombie PC Zombie PC

End point DefenseEx) Detection/Removal of Malicious

code from zombie PCs

Network DefenseEx) Blocking of C&C Channel,

Filtering the DDoS Traffic

Need of Control Tower

Control Tower is need for the effective national response to large-scale attack8

9

• Operation of DNS Sinkhole

Server

• Improvement of Legal

Framework

• Development of

Technologies

Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in Korea22

10

Before DNS sinkhole operation After DNS sinkhole operation

Bot infected PCs

Bot C&C

③ Connect C&C④ Sending command

Bot infected PCs

Bot C&C

KISASinkhole server

ISP DNS server ISP DNS server

② Return C&C IP address

① C&C DNS query

② Return Sinkhole IP address

① C&C DNS query

③ Connect SinkholeBot infected PCs out of control

from botmaster

Bot infected PC’s information

Operation of DNS Sinkhole Server

Target Sites

⑤ DDoS Attack

Request Improvement of SW Vulnerabilities to SW developer

Order to remove malware from web sites

Limit Zombie PCs internet connection in an emergency

Able to Access to zombie PCs for Incident Analysis

11 http://www.koreatimes.co.kr/www/news/biz/2010/04/123_51509.html

Zombie PC Prevention Law (Draft)

Prevent spread of Zombie PCs

- strengthen the online security requirements for both individuals and companies

Rapid response by information sharing

Objective

Major Contents

Excessive and may compromise liberty in Internet usage

Issues

12

Objective

Detection and Blocking the botnet abused in various cyber crime

Identifying Bot C&C and zombie PC lists and monitoring their behaviors

명령 /제어 서버 Distributed botnet

(B) Botnet Monitoring / Response System

(A) Network Behavior

based Botnet Detection System

Botnet Monitoring system

Detection event

Botnet informationISP

Network based Botnet Detection & Response Technology

Web Firewall

DNS Server

Router

Security Appliance

Response Policy/Rule(DNS Sinkhole, BGP Feeding, Web firewall rule,,,Botnet traffic

Collecting Sensor

Centralized botnet

(1) Spybot based real time botnet monitoring system

User PC

(3) Host based Botnet Traffic Filtering Agent

Host based Bot Detection & Response Technology

Spam trap system

Web server

Real-time botnet behavior data

(2) Bot Collecting, Detecting,

Analyzing Server

R&D - Botnet Detection and Response

13

Objective

Automation of the Life Cycle of an Incident Response

- Collection Malware Analysis Blocking traffic Removal Malware from Zombies

Malware spreading Prevention and malware management system

Malware Infected PC Auto-Analysis system

Conficker

Palevo

Malware AutoCollection System

System vulnerability, Web, Spam, IM

Malware Collection

Malware AutoAnalysis System

Malware Information

Executable

binary code

.DLL

.EXE

.xls

.pdf

Flash

.doc.ppt

.EXE

[Malware]

[Malware propagation method]

Malware Distribution siteDetection System

[Malware distributing site]

Detecting malicious site

• Malware DNA & response Signature Management • Zombie PC Internet Access Blocking• Malware distribution site Management• Malware classification & history Management

[Prevent malware spread/response]

[Malware Infected PC]

R&D – Automatic Malware Collection/Analysis/Response

R&D - DDoS Attack Detection and Defense

40 Gbit DDoS Attack Defense System and Secure NIC Development

Advanced Application-Layer DDoS Attack Defense System targeted on Web Services

Internet

Web Servers

Normal Users

40G DDoS Attack Defense System

Application-Layer DDoS Attack Defense System

Server Farm

Server Farm

Secure NIC Development Attackers

- 40G DDoS Attack Defense System- Behavior based Attack Detection- Malicious Code Detection and Management- Infected System Management

- Complex, Advanced DDoS Attack Defense Technology target on Web Service- Challenge/Behavior based Defense - Policy based Management

- Server/Host based 2G Security Offload Engine Technology- Malicious Code Detection

Objective

14

R&D - Cooperative Security Control

Automatic Information Exchange & Cooperative Response Framework

Cyber-Attack Forecast & Alarm Technology

Auto-Response & Traceback against Cyber-Attack

Information exchange Entiry

Information exchange Entiry

Antivirus software companies

National CSIRT/CERT/KISC Internet Service Provider

Internet Service Provider

Information exchange Entiry

Information exchange Entiry

Information exchange & cooperative response

Information exchange & cooperative response

Single packet attaackSingle packet attaack

DDos attackDDos attack

Objective

15

16

Conclusion

Information Sharing is the most important factor for success of effective

prevention and response the incident.

- For this purpose, We are improving the legal system and developing technology

in Korea

Information Sharing

Cyber attacks occur in cross-border

It is need that the consensus for

- monitoring, keeping logs, information sharing, and cooperation against

cross-border incidents

International Cooperation

It is the most difficult thing, but it is the most important for end-point security.

We should improve not only the legal framework but also awareness.

Awareness

Thank you