2010. 5.

Jeong, Hyun-Cheol

*Contents

*

*Status of the IP Network in Korea1st domain : 1.8 M - .kr : 1M - GTLD(.com, .net, ) : 0.8 M Host : 8.7 MMobile Phone User : 46 MInternet User : 36 MHigh-speed Internet User : 15.7 MIP TV User : 1 MVoIP User : 7.1 MIDC : 60ISP : 154Population of S.Korea: 49 M1 M : 1,000,000

DDoS Attacks in Korea First DDoS attack is occurred in 2006 Increase of target systems - Small Websites Major Websites(Bank, Portal, ) Increase of a ransom DDoS Increase of Application-layer DDos attack (Above 50%) - HTTP Get flooding, Slowloris, SIP flooding - Network Bandwidth Consumption System Resource Consumption Hard to detect and block App.-layer DDos attack - Because Each Zombie PC generates small traffic, Hard to detect by legacy security solution.

*

7.7 DDoS Attack (1/3) Attack Time : Every 6 p.m. July 6. 2009 ~ July 9. 2009 Attack Targets : 22 Korean sites, 14 U.S sites - Korean sites : the Blue House, National Assembly, major portal & banking sites, Estimated Damage : 3,300 ~ 4,950 million dollars (Src. : Hyundai Research Institute)1st Day Attack2nd Day Attack3rd Day AttackAfter DDoSDestruct Hard disk*6 PM, July 76 PM, July 86 PM, July 90 AM, July 10

*7.7 DDoS Attack (2/3) - Characteristics Very Large scale and Organized Attack - Zombies were infected from the famous Korean Web hard site which had been exploited - Lots of Zombie PCs (about 115,000) were used in attack - Lots of Servers(about 400) were used in control the zombies

Premeditated and Intelligent Attack - Attack started 6 PM that was coded in Malware(Logic Bomb) - Zombies Hard disk were destructed after DDoS erase the attack evidence

We could not know who the attacker were and why their intention were

*7.7 DDoS Attack (3/3) - Lessons In Korea, DDoS Defense was primarily focused on network security such as blocking C&C Channel, filtering traffics. - But, 7.7 DDoS Attack was rarely used C&C Server We should more attention to endpoint security! - But, It is not easy. Information Sharing of Government and Private Sector - Cooperation between Government, ISP, Anti-Virus vendor, and DDoS vitim - Sharing of Malicious Code Samples, Attack Logs, and the result of analysis Cross-border Information Sharing - US was also attacked 2 days before 7.7 DDoS (2009/7/5) - Zombies and Servers used in 7.7 DDoS were distributed in about 60 contriesC&CZombie PCZombie PCZombie PCEnd point DefenseEx) Detection/Removal of Maliciouscode from zombie PCsNetwork DefenseEx) Blocking of C&C Channel, Filtering the DDoS Traffic Control Tower is need for the effective national response to large-scale attack*

*

*Before DNS sinkhole operationAfter DNS sinkhole operationBot infected PCsBot C&C Connect C&C Sending commandBot infected PCsBot C&CKISA Sinkhole serverISP DNS serverISP DNS server Return C&C IP address C&C DNS query Return Sinkhole IP address C&C DNS query Connect Sinkhole Bot infected PCs out of control from botmasterBot infected PCs informationOperation of DNS Sinkhole ServerTarget Sites DDoS Attack

Request Improvement of SW Vulnerabilities to SW developer Order to remove malware from web sites Limit Zombie PCs internet connection in an emergency Able to Access to zombie PCs for Incident Analysis

*http://www.koreatimes.co.kr/www/news/biz/2010/04/123_51509.htmlZombie PC Prevention Law (Draft)

Prevent spread of Zombie PCs - strengthen the online security requirements for both individuals and companies Rapid response by information sharingObjectiveMajor Contents Excessive and may compromise liberty in Internet usage Issues

* Detection and Blocking the botnet abused in various cyber crime Identifying Bot C&C and zombie PC lists and monitoring their behaviors/ Distributed botnet(B) Botnet Monitoring / Response System(A) Network Behavior based Botnet Detection SystemBotnet Monitoring systemDetection eventBotnet informationNetwork based Botnet Detection & Response TechnologyWeb FirewallDNS ServerRouterSecurity ApplianceResponse Policy/Rule (DNS Sinkhole, BGP Feeding, Web firewall rule,,,Botnet traffic Collecting SensorCentralized botnet(1) Spybot based real time botnet monitoring systemUser PC(3) Host based Botnet Traffic Filtering AgentHost based Bot Detection & Response TechnologySpam trap systemWeb serverReal-time botnet behavior data(2) Bot Collecting, Detecting, Analyzing ServerR&D - Botnet Detection and Response

* Automation of the Life Cycle of an Incident Response - Collection Malware Analysis Blocking traffic Removal Malware from Zombies

Malware spreading Prevention and malware management systemMalware Infected PC Auto-Analysis systemConfickerPalevoMalware Auto Collection SystemSystem vulnerability, Web, Spam, IMMalware CollectionMalware Auto Analysis SystemMalware InformationExecutable binary code.DLL.EXE.xls.pdfFlash.doc.ppt.EXE[Malware][Malware propagation method]Malware Distribution siteDetection System[Malware distributing site]Detecting malicious site Malware DNA & response Signature Management Zombie PC Internet Access Blocking Malware distribution site Management Malware classification & history Management [Prevent malware spread/response][Malware Infected PC]R&D Automatic Malware Collection/Analysis/Response

R&D - DDoS Attack Detection and Defense 40 Gbit DDoS Attack Defense System and Secure NIC Development Advanced Application-Layer DDoS Attack Defense System targeted on Web ServicesInternetWeb ServersNormal Users40G DDoS Attack Defense SystemApplication-Layer DDoS Attack Defense SystemServer FarmServer FarmSecure NIC DevelopmentAttackers- 40G DDoS Attack Defense System- Behavior based Attack Detection- Malicious Code Detection and Management- Infected System Management- Complex, Advanced DDoS Attack Defense Technology target on Web Service- Challenge/Behavior based Defense - Policy based Management- Server/Host based 2G Security Offload Engine Technology- Malicious Code Detection*

R&D - Cooperative Security Control Automatic Information Exchange & Cooperative Response Framework Cyber-Attack Forecast & Alarm Technology Auto-Response & Traceback against Cyber-AttackInformation exchange EntiryAntivirus software companiesNational CSIRT/CERT/KISCInternet Service ProviderInternet Service ProviderInformation exchange EntiryInformation exchange & cooperative responseSingle packet attaackDDos attack*

*Conclusion Information Sharing is the most important factor for success of effective prevention and response the incident. - For this purpose, We are improving the legal system and developing technology in Korea Cyber attacks occur in cross-border It is need that the consensus for - monitoring, keeping logs, information sharing, and cooperation against cross-border incidents It is the most difficult thing, but it is the most important for end-point security. We should improve not only the legal framework but also awareness.

Thank you

**********************************