Transcript ppt - Apnic

Computer Security Incident
Response in China
Shuang Zhu, Susan [email protected]
Xing Li, [email protected]
CERNET Center, Tsinghua University
Network Abuse BoF, 30 Aug, 2001
1
Outline
 Computer



Security Concerns in China
Public Concerns
Government Concerns
Active Organizations
 CERNET
& CCERT
 CCERT Services
 CCERT Experience
2
China Internet Overview

General Info about China Internet Development

Internet Computers: ~10.02 M



Internet Users:




16% via Direct Connection
84% via Dial-up Connection
~26.50 M
17% via Direct Connection
68% via Dial-up Connection
15% via Direct & Dial-up Connection
Web Sites: 243,000
Source: “China Internet Development Report” Jul 2001
3
Public Security Concerns

Have you ever received spam?
Yes: 63% No: 37%

Was your computer ever intruded last year?
Yes: 47%

No: 43%
Unknown: 10%
What kind of security measures are often taken(MultiAnswer):
Virus Prevention:
75% Firewall:
68%
Password Encryption: 37% Digital Signature: 7%
Not sure, by sysadmin: 7% Nothing:
4%

How often do you change your password of email
accounts?
Once a month: 9% Per 3 ~6m: 21%
Per 6m~1yr: 20% Never: 50%
Source: “China Internet Development Report” Jul 2001
4
Government Concerns:
Administrative Regulations Enacted by State Council

“Computer Information System Security Protection Bylaws”,
State Council Regulation No. 147 enacted on 18 Feb,
1994

“Interim Regulation & its measures about International
Connection Administration of Computer Information
Network”
State Council Regulation No. 195 enacted on 20 May & 8
Dec, 1997
5
Government Concerns:
Administrative Regulations Enacted by Related Ministries

Ministry of Information Industry



Ministry of Public Security




“ChinaNET International Connection Policy”, 1996
“Internet Information Services Policy”, 1996
Regulation No.33 – Internet Connection Security
Protection Policy for Computer Information Network,
30 Dec,1997
Regulation No.51 – Computer Virus Prevention and
Control Policy, 26 Apr, 2000
Announcement to Put Internet Systems on Records
State Council Press Office

Interim Policy for Web Sites that Provide News
Publication Services, 7 Nov, 2000
6
Government Concerns:
Major Points related with Network Abuse

Internet Users must abide by state laws and administrative
regulations, and cannot abuse the Internet to engage in
illegal activities, e.g. compromising state security, leaking
state secret, creating, reading, copying and spreading the
illegal information which can hinder social order/security:







Illegally enter computer networks or use computer network resources
Delete, modify or add the functions of computer networks
Delete, modify, or add the data or application programs which are stored,
processed or transmitted in computer networks
Intentionally create, spread destroying programs like computer viruses
Other behaviors that compromise computer network security.
ISPs have the responsibility to education its customers to
abide by computer security laws and regulations
ISPs must record users’ info such as connection time,
account, IP addr/domain name and keep it for 60 days;
when necessary, assist in related state offices’ legal check.
7
Active Organizations

China Emergency Response Infrastructure is
currently being built up:






CCERT, the first computer security incident response
team in China, founded in May 1999
NJCERT, the first regional CSIRT in CERNET
founded in Oct 1999
ChinaNet Security Team
PLA, Ministry of Public Security
Security Rescuing Companies
CNCERT - China Computer Emergency Response
Team Coordination Center founded by Security
Administration Center of MII in Mar 2000
8
CERNET Briefs
CERNET - China Education and Research Network
 was established in 1994 and managed by
Ministry of Education, serves academic
community in China
 now as the 2nd largest of 10 national NSPs,
connects 800+ universities and academic
institutes in 180+ cities in all 31 provinces in
mainland China and serves 7.6+ Million end
users.
 all 31 provinces in mainland China have high
speed connectivity [OC3~OC48]
9
CERNET Structure
Backbone
Regional
Provincial
Campus
Campus
Regional
Provincial
Campus
Provincial
Campus
10
CCERT
CERNET Computer Emergency Response Team
 Established in May 1999




The first CSIRT in China
Funded by CERNET center
Mainly serves .EDU.CN community
About 10 staffs
11
CCERT Organization Structure
Intl
IRTs
Intl
SIRTs
Intl
SIRTs
FIRST
CNCERT/CC
CCERT/CC
R-IRT
NJCERT
Other IRTs
P-IRT
CCERT
CERNET Users
P-IRT
C-IRT
C-IRT
Other Networks
12
CCERT Goals
To provide incident response services
 To build up response Information releasing
and technical support platform
 To provide decision support services
 To promote information exchange and
cooperation with regional/provincial/campus
networks and other CSIRTs

13
CCERT Services
Mainly serves for CERNET members, and also
handles the incident reports of some other
networks.
 Currently, provide services in:




Making Incident Responses to Intrusion, spam/emailbomb, port-scan, and DoS, Virus,…
Giving Security Advisory to system administrators
Releasing security information and resources



The announcements of Anti-spam, Anti-portscan; Virus
warning
System patches or Security tools
and do research in network security:

Security Management, IDS, Security Archtecture, PKI
14
www.ccert.edu.cn
15
Incident Reports
in 2 months from 22Jun~21Aug, 2001
 Spam/Email

738 cases
 Scan

bomb
& Attack
197 cases
 Viruses/Worms
3 cases of virus
 275 cases of CodeRed & CR II worm
Some of the cases were not related with
CERNET, but we received complaints,so
try to provide “best effort” service.

16
Common Scenarios

Open relay spam in mail systems
 About 90% reports related with spam emails




Improper configuration and open relay to the 3rd party
Harm:




Outside Complaints
Domestic Reports
Traffic Peculation  Cost Increases
The Internet connection to the mail server was totally blocked by
upstream providers.
Compromise state/social security
Solutions: CCERT set up an anti-spam group to handle



To do open relay check
To reconfigure and upgrade the mail system
To block the spamming relayers
17
Common Scenarios

Port Scan, the sign of an intrusion attempt



Popular service discovery: ftp, telnet ,ssh,smtp
pop/imap, sunrpc, netbios, klogind, socks
System Vulnerabilities, like Satan
Intrusions

Most of the intrusions make use of well-known
system vulnerabilities:





Solaris rpc.statd, rpc.ttdbserver,
Linux imapd, wu_ftp
freeBSD pop3d
Win2k Terminal Server,
Many of them were reported by outside, and even
their administrators were unaware of that.
18
Common Scenarios

DoS Attack





land , teardrop;SYN flood; ICMP : smurf
Router: remote reset , UDP port 7,
Windows: Port 135, 137,139(OOB), terminal server
Solaris/Linux
DDoS


The target is to destroy the system and network’s
availability
Common Tools:



Trin00, TFN/TFN2K, Stacheldraht
Difficult to prevent
IP spoofing, Traffic Encryption, difficult to track
19
Common Scenarios
DDoS Attack & Prevention
 The 2 stages:

The 1st stage – Control a lof of hosts


The 2nd stage, to initiate the attack:


Get the control of a lot of systems by vulnerabilities, and
install DDoS agents
Send numerous TCP/UDP/ICMP to the target system to
exhaust the bandwidth resources so that it could not
respond to the requests normally.
DDoS Prevention



All systems in the network must be configured
properly not to be as a source of DDoS.
Router/Firwall config: to filter the packets of IP
spoofing
Detection tools:find_ddosv31、ddos_scan、rid
20
Common Scenarios Summary
Need explicit security management strategy
 Vendor’s distribution is rarely current



Default configuration is unsecure, not patched and
running unnecessary services
More than 99% intrusions can be prevented by proper
system configuration
Multiple services are running on the same system:
DNS/Mail/Web/ FTP
 The password is too simple in public servers
 Auditing function is not enabled or sysadmin never
checks the auditing logs
 No backup: very difficult to recover after intrusion.

21
Case study:
Campaign against CodeRed II




The first incident report was received on 1 Aug, 2001
Code Red alert was also received from APNIC in Aug
In terms of damage, CR II is by far the worst computer
worm to affect mainland China that caused many traffic
jams; CR II rapidly spread into all backbone networks in
China, and more than 10,000 systems in 20+ provinces
were infected;
A special team was immediately established in CCERT
to deal with this CodeRed II issue:



build up accurate contact info database and emergency
response teams of 4 levels during a very short period
issued 2 advisory announcements and alerts:
patch info, countermeasures, latest infection status and
successful cases to kill “code red”
7x24 hot-line support
22
Case study:
Campaign against CodeRed II
 Things



are getting better now
Most system administrators came to know
this issue, and conscious of self-protection.
Systems infected with CR II decreased very
quickly.
Gain much experience in Emergency
Response
23
CCERT’s Experience
In Incident Response
 To

set up security related infrastructure
Contact info database



Vulnerabilities database




IP address / RP mapping
In both Chinese and English
Conform to CVE
Vulnerability description
In both Chinese and English
Support service platform


Effective and automatic incident handling
Incident response tracking
24
CCERT’s Experience:
Security Related Infrastructure
About accurate contact info,
 CERNIC whois database plans to add “abuse-c”
attribute to inetnum object to specify accurate
responsible contact for network abuse.
 Suggestions to APNIC database


To add similar mandatory attribute for Network Abuse
Handling in inetnum object
 well-known to security interested community
To accept NIC handles of members, at least large
members who have set up VL whois database.
 Local database can be administratively more
accurate and up to date.
25
CCERT’s Experience (cont)

Technical support


CERNET has both production and experiment network,
so various security experiments can be done.
Security-related national key research projects
undertaken by CERNET


network management; network security; secure router; high
speed IP network security monitoring system - traffic analysis
and coordinated distributed intrusion detection; …
Controllable Network Infrastructure


Routing, DNS, NMS, Mail Systems
Centralized Control – CERNET backbone has extended
to all provincial nodes
26
CCERT’s Experience (cont)

Cooperation and Coordination



To cooperate with each other and not to be a relay of
attacks
Emergency response services require the
coordination and cooperation of all Internet
community.
Education Services

Users should be conscious of self protection, and
realize that everyone is responsible for computer
security. The whole network security relies on the
security consciousness of all users and the
popularization of security technologies.
27
CERNET & CCERT will serve

More than 320M users from 10,000 universities
and schools in 300+ cities in mainland China

For more information:

CERNET: http://www.edu.cn/

CCERT: http://www.ccert.edu.cn/
28