Transcript Experiences with DDoS

2010. 5.
Jeong, Hyun-Cheol
Contents
1
DDoS Attacks in Korea
2
Countermeasures against DDoS
Attacks in Korea
3
Conclusion
2
1
DDoS Attacks in Korea
• DDoS Attack Trends
• 7.7 DDoS Attack and Lessons
3
Status of the IP Network in Korea
Population of S.Korea: 49 M
1st domain : 1.8 M
- .kr : 1M
- GTLD(.com, .net, …) : 0.8 M
Host : 8.7 M
ISP : 154
IDC : 60
VoIP User : 7.1 M
Mobile Phone User : 46 M
High-speed Internet User : 15.7 M
IP TV User : 1 M
Internet User : 36 M
4
1 M : 1,000,000
DDoS Attacks in Korea
Status & Trends DDoS Attack In Korea
First DDoS attack is occurred in 2006
Increase of target systems
- Small Websites  Major Websites(Bank, Portal, …)
Increase of a ransom DDoS
Increase of Application-layer DDos attack (Above 50%)
- HTTP Get flooding, Slowloris, SIP flooding
Risk
- Network Bandwidth Consumption  System Resource
Consumption
Portal, Public
Site
Hard to detect and block App.-layer DDos attack
- Because Each Zombie PC generates small traffic, Hard to detect
by legacy security solution.
Bank, Shopping, Game Site
On-line Game Site
Chat, Gamble Site
DNS, Private IP
targeted DDoS
Web Server targeted DDoS
2006
5
2007
2008
2009
7.7 DDoS Attack (1/3)
Attack Time : Every 6 p.m. July 6. 2009 ~ July 9. 2009
Attack Targets : 22 Korean sites, 14 U.S sites
- Korean sites : the Blue House, National Assembly, major portal & banking sites, …
Estimated Damage : 3,300 ~ 4,950 million dollars
1st Day Attack
(Src. : Hyundai Research Institute)
6 PM, July 7
After DDoS
Destruct Hard disk
0 AM, July 10
2nd Day Attack
3rd Day Attack
6 PM, July 8
6
6 PM, July 9
7.7 DDoS Attack (2/3) - Characteristics
Very Large scale and Organized Attack
- Zombies were infected from the famous Korean Web hard site
which had been exploited
- Lots of Zombie PCs (about 115,000) were used in attack
- Lots of Servers(about 400) were used in control the zombies
Premeditated and Intelligent Attack
- Attack started 6 PM that was coded in Malware(Logic Bomb)
- Zombie’s Hard disk were destructed after DDoS  erase the attack evidence
We could not know who the attacker were and why their intention were
7
7.7 DDoS Attack (3/3) - Lessons
Network Defense
More attention to Endpoint Security
In Korea, DDoS Defense was primarily focused on
Ex) Blocking of C&C Channel,
Filtering the DDoS Traffic
C&C
network security such as blocking C&C Channel, filtering traffics.
- But, 7.7 DDoS Attack was rarely used C&C Server
We should more attention to endpoint security!
- But, It is not easy.
Zombie PC
Zombie PC
Zombie PC
End point Defense
Expand Information Sharing
Ex) Detection/Removal of Malicious
code from zombie PCs
Information Sharing of Government and Private Sector
- Cooperation between Government, ISP, Anti-Virus vendor, and DDoS vitim
- Sharing of Malicious Code Samples, Attack Logs, and the result of analysis
Cross-border Information Sharing
- US was also attacked 2 days before 7.7 DDoS (2009/7/5)
- Zombies and Servers used in 7.7 DDoS were distributed in about 60 contries
Need of Control Tower
8
Control Tower is need for the effective national response to large-scale attack
8
2
Countermeasures against DDoS
Attacks in Korea
• Operation of DNS Sinkhole Server
• Improvement of Legal Framework
• Development of Technologies
9
Operation of DNS Sinkhole Server
Before DNS sinkhole operation
After DNS sinkhole operation
Bot C&C
Bot C&C
④ Sending
command
③ Connect C&C
KISA
Sinkhole
server
Target
Sites
Bot infected PC’s
information
③ Connect Sinkhole
Bot infected PCs out of control
from botmaster
⑤ DDoS Attack
② Return
C&C IP address
② Return
Sinkhole IP address
① C&C DNS query
Bot infected PCs
① C&C DNS query
ISP DNS server
Bot infected PCs
10
ISP DNS server
Zombie PC Prevention Law (Draft)
Objective
Prevent spread of Zombie PCs
- strengthen the online security requirements for both individuals and companies
Rapid response by information sharing
Major Contents
Request Improvement of SW Vulnerabilities to SW developer
Order to remove malware from web sites
Limit Zombie PCs internet connection in an emergency
Able to Access to zombie PCs for Incident Analysis
Issues
Excessive and may compromise liberty in Internet usage
11
http://www.koreatimes.co.kr/www/news/biz/2010/04/123_51509.html
R&D - Botnet Detection and Response
Objective
Detection and Blocking the botnet abused in various cyber crime
Identifying Bot C&C and zombie PC lists and monitoring their behaviors
Host based Bot Detection & Response Technology
(1) Spybot based
real time botnet
monitoring system
User PC
(2) Bot Collecting, Detecting,
Analyzing Server
(3) Host based Botnet
Traffic Filtering Agent
Real-time botnet
behavior data
Web Firewall
Spam trap
system
Web server
Distributed
botnet
명령/제어 서버
DNS Server
Centralized botnet
Response Policy/Rule
(DNS Sinkhole, BGP
Feeding, Web firewall
rule,,,
Botnet traffic
Collecting
Sensor
(A) Network Behavior
based Botnet
Detection System
Router
Security
Appliance
ISP
Botnet information
Detection event (B) Botnet Monitoring /
Response System
Network based Botnet Detection & Response Technology
12
Botnet Monitoring
system
R&D – Automatic Malware Collection/Analysis/Response
Objective
Automation of the Life Cycle of an Incident Response
- Collection Malware  Analysis  Blocking traffic  Removal Malware from Zombies
[Malware propagation method]
[Malware distributing site]
System vulnerability, Web, Spam, IM
Malware
Collection
[Malware]
.ppt
.doc.xls
.EXE
Flash
[Malware
Infected PC]
Malware Auto
Collection System
.EXE
.DLL
Executable
.pdf binary code
Detecting
malicious site
Malware Auto
Analysis System
Malware Distribution site
Detection System
[Prevent malware spread/response]
• Malware DNA & response Signature
Management
• Zombie PC Internet Access Blocking
• Malware distribution site Management
• Malware classification & history
Management
Malware
Information
Malware Infected PC
Auto-Analysis system
13
Malware spreading Prevention
and malware management system
R&D - DDoS Attack Detection and Defense
Objective
40 Gbit DDoS Attack Defense System and Secure NIC Development
Advanced Application-Layer DDoS Attack Defense System targeted on Web Services
40G DDoS Attack
Defense System
-
40G DDoS Attack Defense System
Behavior based Attack Detection
Malicious Code Detection and Management
Infected System Management
Server Farm
Web Servers
Application-Layer DDoS Attack
Defense System
Internet
- Complex, Advanced DDoS Attack Defense
Technology target on Web Service
- Challenge/Behavior based Defense
- Policy based Management
Server Farm
Secure NIC Development
Attackers
- Server/Host based 2G Security Offload
Engine Technology
- Malicious Code Detection
14
Normal Users
R&D - Cooperative Security Control
Objective
Automatic Information Exchange & Cooperative Response Framework
Cyber-Attack Forecast & Alarm Technology
Auto-Response & Traceback against Cyber-Attack
Internet Service Provider
Antivirus software companies
Information
exchange Entiry
Information
exchange Entiry
Information exchange &
cooperative response
Single packet attaack
National CSIRT/CERT/KISC
Internet Service Provider
15
DDos attack
Conclusion
Information Sharing
Information Sharing is the most important factor for success of effective
prevention and response the incident.
- For this purpose, We are improving the legal system and developing technology
in Korea
International Cooperation
Cyber attacks occur in cross-border
It is need that the consensus for
- monitoring, keeping logs, information sharing, and cooperation against
cross-border incidents
Awareness
It is the most difficult thing, but it is the most important for end-point security.
We should improve not only the legal framework but also awareness.
16
Thank you