Presentation
Download
Report
Transcript Presentation
DOCUMENT #:
GSC13-GTSC6-07
FOR:
Presentation
SOURCE:
TTA, Korea
AGENDA ITEM:
GTSC; 4.2
CONTACT(S):
Heung-youl Youm ([email protected])
TTA activity for countering BOTNET
attack and tracing cyber attacks
14 July, 2008
Heung-youl Youm
TTA, Korea
Submission Date:
July 1, 2008
Highlight of Current Activities (1/3)
• TTA’s standardization activities in the are of information
security have been coordinated with global SDOs, especially
ITU-T. Nowadays, TTA is now focusing on developing the
standards or guidelines for the following areas:
•
•
•
•
•
•
Information Security Infrastructure
Personal Information Protection & Identity management
Cyber Security
Application Security & Evaluation Certification
Telebiometrics
Digital Right Management
• PG (Project Group) 503 on Cyber Security in TTA is now
developing standards or guidelines for countering BOTNET
and tracing cyber attacks in Korea.
2
Highlight of Current Activities (2/3)
• TTA’s contributions for this area since GSC12
include the followings:
– Submitting a contribution to establish new Question on the
tracing cyber attacks and Digital Forensic on ITU-T
September 2007 Geneva SG17 meeting;
• As a result of discussion of ITU-T April 2008 Geneva SG17 meeting,
this subjects are recognized as important topics, SG17 agreed to
include these subjects in current Question 6/17 on cyber attacks and
continue to study during next Study Period, to include these subjects
to the Question(Q.K/17) Text.
– Establishing four work items in PG 503 in 2008;
•
•
•
•
Framework for tracing cyber attacks, under development
Security Requirements for tracing cyber attacks, under development
Digital Image Exchange Format for digital forensics, under development
Digital data analysis tool requirement for computer forensics, under
development
3
Highlight of Current Activities (3/3)
– Involving in activities to develop ITU-T Recommendations, such as
ITU-T X.tb-ucr on Traceback use case and requirements since April
2008.
– Developing domestic standard on Cyber Attack Tracing Event
Exchange Format(TTAS.KO-12.0060) adopted from IETF RFC 3067:
Approved December 2007.
• This standard is the content about tracing event exchange format for tracing attacker through collaboration among
several administrative domains for securing network infrastructure, this standard describes tracing event exchange
format requirements, the operational model for processing tracing event exchange format, data classes constituting
tracing event exchange format. This standard contributes to design and develop communication mechanism of
trace event, attacker trace system, and so on efficiently.
• Note that Korea has put in place the DNS sinkhole scheme for countering
BOTNET since 2005 and Japan also has put in place the Clean Cyber
Center for countering BOTNET.
– DNS sink hole scheme is focusing on identifying the IP address of BOTNET controller and
breaking the communication between the BOT-infected PCs and command controller of
BOTNET, while CCC is focusing on identifying the IP address of BOT-infected PCs and curing
that BOT-infected PC using the anti-BOT program which is downloaded from the web site of
CCC.
4
Strategic Direction
• Since TTA recognized the importance and significance of these
subjects, the strategic direction of TTA includes;
– To support continually the domestic standardization activities;
– To contribute to global standardization activities in global SDO,
especially ITU-T SG17 Question 6;
– To continue to adopt well-defined standards produced by
Global SDOs to domestic standards.
5
Challenges(1/2)
• Nowadays, the most serious threats to the telecommunication
operator are both attacks from BOTNET and attacks from
unknown source.
• In the current IP-based network, there is a huge number of
unwanted traffics from DDoS attacks, spams, worms and so on,
and there are increasing e-crimes such as the loss of sensitive
information and network fraud. And most of these attackers and
criminals use spoofed IP addresses. However, as the IP network is
a hop-by-hop packet forwarding network where the routers don’t
keep any information of the packets forwarded normally, the
network itself hasn’t the ability to identify the source (IP address)
of attacker.
6
Challenges(2/2)
• Since cyber attacks are launched across the physical frontier of
one country, that is, beyond the border, the operator in one
domain should collaborate with other operator in other domain to
locate the exact source of cyber attack.
• Digital forensics against the telecommunication refers to a process
to incident investigation of cyber attacks for obtaining evidence in
the telecommunication. The evidence data for identifying cyber
attack should be shared among relevant organizations or
telecommunication operators. The tecom-based IT forensics and
the trace-back can achieve their goal with the help of the
telecommunication operator.
7
Next Steps/Actions
• TTA continue to contribute to the ITU-T SG17 activities, especially
Q.6/17 activities, in the trace-back area:
– Especially “the information exchange formats and protocols for
tracing the cyber attacks in multi-domain network environment”.
• TTA will consider combining Japanese’s CCC scheme and Korea’s
DNS sink hole scheme to submit a contribution for countering
BOTNET attacks to ITU-T in collaboration with Japanese experts.
• In addition, TTA will support to develop the domestic standards
which are closely related to the Korea’s regulation in this area.
8
Proposed Resolution
• Tracing cyber attacks and countering BOTNET could be significant
countermeasures to the cyber crimes or attacks over the IP
network. They can help to solve the serious problems, such as:
– Help to fight against DDoS attacks, SPAMs, worms and so on.
– Provide technical solutions to counter cyber crimes and trace back to the
roots of attackers. This would deter criminals and reduce the amount of traffic
of network crimes.
• In conclusion, it is necessary to add to Resolution GSC-12/19 on
cyber security the following item;
– Global SDOs and PSOs are required to develop standards or
guidelines to protect against BOTNET attacks and facilitate tracing
the source of an attacker including IP-level traceback, applicationlevel traceback, user-level traceback in the IP-based network.
9
Supplemental Slides
10
Definitions on a BOTNET and an IP
traceback
• BOTNET refers to a collection of software agents, in which
multiple computing devices cooperate to generally achieve
unwanted results [defined by the experts of ITU-T SG17
Question 17 at the ITU-T April 2008 Geneva SG17 meeting].
Sometimes, BOTNET is frequently used to deliver spam, to
launch the massive cyber attacks such as DDoS attacks, to
leak private information from users.
• IP traceback refers to any method for reliably determining
the origin of a packet on the Internet even if an attacker use
a spoofed IP address. In Wikipedia
11
How Bot is created and used to launch
cyber attacks?
1. Commands to look for another
user’s computer to be infected
with Bot program.
Bot infected computer
Botnet C&C
Bot herder
4. Commands to look for another
user computer or launch a DDoS
attack
Bot
Victim
2. Send out worm or virus,
infecting another user
computer.
5. Scans IP
Network for
infection
3. The Bot of the an infected computer logs
into a particular Bot C&C server.
6. Use Botnet to launch a
DDoS attacks to victim
12
Typical Example of traceback – ICMPbased Traceback
ICMP packet with
address information
Incoming packet stream
1/20,000
Attacker
R4
R2
R7
R8
R5
R11
R1
R9
R3
Victim
R10
R6
R11
R7
R1
R11 - R7 - R4 - R2 - R1
Sort
Reconstructed
route
• An ICMP packet including a router address is generated and
forwarded by the router in the connection chain to a victim
host every specific number of normal IP packets received.
• It is compatible with the existing protocols.
• It allows post-attack analysis
13
Typical Example of traceback – PPM
(Probabilistic Packet Marking)
Marked Packet
with probability p
Incoming packet stream
R4
R7
R2
R8
R5
R11
R1
Attacker
R9
Victim
R10
R3
R6
R11 - R7 - R4 - R2 - R1
Buffer of marked
Packets
Reconstruction
Processing
Reconstructed route
14