Jeong, Hyun-Cheol

2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in Korea 2 2 Conclusion 3 3

3 DDoS Attack Trends 7.7 DDoS Attack and Lessons DDoS Attacks in Korea 1 1

4 Status of the IP Network in Korea 1 st domain : 1.8 M -.kr : 1M - GTLD(.com,.net, …) : 0.8 M Host : 8.7 M Mobile Phone User : 46 M Internet User : 36 M High-speed Internet User : 15.7 M IP TV User : 1 M VoIP User : 7.1 M IDC : 60 ISP : 154 Population of S.Korea: 49 M 1 M : 1,000,000

DDoS Attacks in Korea Status & Trends DDoS Attack In Korea First DDoS attack is occurred in 2006 Increase of target systems - Small Websites  Major Websites(Bank, Portal, …) Increase of a ransom DDoS Increase of Application-layer DDos attack (Above 50%) - HTTP Get flooding, Slowloris, SIP flooding - Network Bandwidth Consumption  System Resource Consumption Hard to detect and block App.-layer DDos attack - Because Each Zombie PC generates small traffic, Hard to detect by legacy security solution.Risk Bank, Shopping, Game Site Portal, Public Site Chat, Gamble Site Web Server targeted DDoS DNS, Private IP targeted DDoS On-line Game Site 5

7.7 DDoS Attack (1/3) Attack Time : Every 6 p.m. July ~ July Attack Targets : 22 Korean sites, 14 U.S sites - Korean sites : the Blue House, National Assembly, major portal & banking sites, … Estimated Damage : 3,300 ~ 4,950 million dollars (Src. : Hyundai Research Institute) 1 st Day Attack 2 nd Day Attack3 rd Day Attack After DDoS Destruct Hard disk 6 6 PM, July 7 6 PM, July 8 6 PM, July 9 0 AM, July 10

7 7.7 DDoS Attack (2/3) - Characteristics Very Large scale and Organized Attack - Zombies were infected from the famous Korean Web hard site which had been exploited - Lots of Zombie PCs (about 115,000) were used in attack - Lots of Servers(about 400) were used in control the zombies Premeditated and Intelligent Attack - Attack started 6 PM that was coded in Malware(Logic Bomb) - Zombie’s Hard disk were destructed after DDoS  erase the attack evidence We could not know who the attacker were and why their intention were

8 7.7 DDoS Attack (3/3) - Lessons More attention to Endpoint Security In Korea, DDoS Defense was primarily focused on network security such as blocking C&C Channel, filtering traffics. - But, 7.7 DDoS Attack was rarely used C&C Server We should more attention to endpoint security! - But, It is not easy. Expand Information Sharing Information Sharing of Government and Private Sector - Cooperation between Government, ISP, Anti-Virus vendor, and DDoS vitim - Sharing of Malicious Code Samples, Attack Logs, and the result of analysis Cross-border Information Sharing - US was also attacked 2 days before 7.7 DDoS (2009/7/5) - Zombies and Servers used in 7.7 DDoS were distributed in about 60 contries C&C Zombie PC End point Defense Ex) Detection/Removal of Malicious code from zombie PCs Network Defense Ex) Blocking of C&C Channel, Filtering the DDoS Traffic Need of Control Tower Control Tower is need for the effective national response to large-scale attack 8

9 Operation of DNS Sinkhole Server Improvement of Legal Framework Development of Technologies Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in Korea 2 2

10 Before DNS sinkhole operationAfter DNS sinkhole operation Bot infected PCs Bot C&C ③ Connect C&C ④ Sending command Bot infected PCs Bot C&C KISA Sinkhole server ISP DNS server ② Return C&C IP address ① C&C DNS query ② Return Sinkhole IP address ① C&C DNS query ③ Connect Sinkhole Bot infected PCs out of control from botmaster Bot infected PC’s information Operation of DNS Sinkhole Server Target Sites ⑤ DDoS Attack

Request Improvement of SW Vulnerabilities to SW developer Order to remove malware from web sites Limit Zombie PCs internet connection in an emergency Able to Access to zombie PCs for Incident Analysis 11 Zombie PC Prevention Law (Draft) Prevent spread of Zombie PCs - strengthen the online security requirements for both individuals and companies Rapid response by information sharing Objective Major Contents Excessive and may compromise liberty in Internet usage Issues

12 Objective Detection and Blocking the botnet abused in various cyber crime Identifying Bot C&C and zombie PC lists and monitoring their behaviors 명령 / 제어 서버 Distributed botnet (B) Botnet Monitoring / Response System (A) Network Behavior based Botnet Detection System Botnet Monitoring system Detection event Botnet information ISP Network based Botnet Detection & Response Technology Web Firewall DNS Server Router Security Appliance Response Policy/Rule (DNS Sinkhole, BGP Feeding, Web firewall rule,,, Botnet traffic Collecting Sensor Centralized botnet (1) Spybot based real time botnet monitoring system User PC (3) Host based Botnet Traffic Filtering Agent Host based Bot Detection & Response Technology Spam trap system Web server Real-time botnet behavior data (2) Bot Collecting, Detecting, Analyzing Server R&D - Botnet Detection and Response

13 Objective Automation of the Life Cycle of an Incident Response - Collection Malware  Analysis  Blocking traffic  Removal Malware from Zombies Malware spreading Prevention and malware management system Malware Infected PC Auto-Analysis system Confick er Palevo Malware Auto Collection System System vulnerability, Web, Spam, IM Malware Collection Malware Auto Analysis System Malware Information Executable binary code.DLL.EXE.xls.pdf Flash.doc.ppt.EXE [Malware] [Malware propagation method] Malware Distribution site Detection System [Malware distributing site] Detecting malicious site Malware DNA & response Signature Management Zombie PC Internet Access Blocking Malware distribution site Management Malware classification & history Management [Prevent malware spread/response] [Malware Infected PC] R&D – Automatic Malware Collection/Analysis/Response

R&D - DDoS Attack Detection and Defense 40 Gbit DDoS Attack Defense System and Secure NIC Development Advanced Application-Layer DDoS Attack Defense System targeted on Web Services Internet Web Servers Normal Users 40G DDoS Attack Defense System Application-Layer DDoS Attack Defense System Server Farm Secure NIC Development Attackers - 40G DDoS Attack Defense System - Behavior based Attack Detection - Malicious Code Detection and Management - Infected System Management - Complex, Advanced DDoS Attack Defense Technology target on Web Service - Challenge/Behavior based Defense - Policy based Management - Server/Host based 2G Security Offload Engine Technology - Malicious Code Detection Objective 14

R&D - Cooperative Security Control Automatic Information Exchange & Cooperative Response Framework Cyber-Attack Forecast & Alarm Technology Auto-Response & Traceback against Cyber-Attack Information exchange Entiry Antivirus software companies National CSIRT/CERT/KISC Internet Service Provider Information exchange Entiry Information exchange & cooperative response Single packet attaack DDos attack Objective 15

16 Conclusion Information Sharing is the most important factor for success of effective prevention and response the incident. - For this purpose, We are improving the legal system and developing technology in Korea Information Sharing Cyber attacks occur in cross-border It is need that the consensus for - monitoring, keeping logs, information sharing, and cooperation against cross-border incidents International Cooperation It is the most difficult thing, but it is the most important for end-point security. We should improve not only the legal framework but also awareness. Awareness

Thank you