How we Collaborate and Share

Wim Biemolt

SURFcert – November 14th, 2012

FIRST TC, Kyoto

Oudemirdum

Kyoto?

Collaboration!

SURFnet

Global connectivity

IPv6

Security

DNSSEC

http://www.internetsociety.org/deploy360/blog/2012/10/excellent-whitepapertutorial-from-surfnet-on-deploying-dnssec-validating-dns-servers/

SURFcert IDS

Changing threats

SpamPot

Fantastic!

However …

Packet love

SNMP

Secret

DNS

Amsterdam Nijmegen Amsterdam

onweer service LAN

What is happening?

Abuse

Partners in crime

Report the crime

Very useful

Measures

TMS

SURFcert

Party!

How?

5 5

netflow

AIRT

Incidents

2010 2011 2012

(H1)

Infected 2531 6373 1948

Probe 36 41 9

Spam 2597 1379 360

Content 6 6 6

Abusive 1 19 4

Denial 807 244 106

Vulnerable 1285 997 510

TOTAAL 7263 9059 2943

Good job!

NAT

Is that everything?

Hlux/Kelihos Botnet

0

500

1000

1500

2000

2500

6/11/201100:00

6/12/201100:00

6/1/201200:00

6/2/201200:00

6/3/201200:00

6/4/201200:00

6/5/201200:00

6/6/201200:00

6/7/201200:00

6/8/201200:00

6/9/201200:00

# unique IP addresses per hour

IPv4 Heatmap

September 2012 October 2012

Google maps

September 2012 October 2012

Region

2012

Slow decline

Abuse Information Exchange

2nd Hlux/Kelihos Botnet

Status

Zeus

Busy!

IP spoofing allowed?

Warning by executable

Favor?

Together strong

SCIRT

Goals

Focus

Software audits Risk management

Juridical questions Virtualization

wifi Malware analysis

IPv6 security Forensics

Honeypot & IDS/IPS Phising

MoU & TLP

Press

Dorifel

Zeroaccess

Dutch national cooperation (o-IRT-o)

Since 2002

Sinowal

DNSSEC (again)

You have them

We have them

TF-CSIRT

CSIRT Training

Trusted Introducer

• Lists teams

• Accredits teams

• Certifies teams

• Trusted security services.

Around the world

FIRST

FIRST TC

Share!

Clearing houses

Conclusion

W

Wim.Biemolt[at]surfnet.nl

wimbie

www.surfnet.nl

+31 30 2 305 305

Creative Commons “Attribution” license:

http://creativecommons.org/licenses/by/3.0/