AVAR 2004, 25-26, Nov. 2004 Network Security in Korea Joongsup CHOI KISC/KrCERT Contents I. Positive Aspects of Internet II. Negative Aspects of Internet III. Big BANG, Triggering Point IV. KISC’s Role V. Hand-on Experience -2- I. Positive Aspects of Internet Network & Connectivity Src. : www.caida.org AS Path Length Graph `Yearly' Graph (1 Day Average) Max avg. length 5.0 Average avg. length 4.0 Max max. length 33.0 Average max. length 29.0 Src. : http://www.cymru.com/BGP/asnpalen01.html -3- Current avg. length 5.0 Current max. length 30.0 I. Positive Aspects of Internet Application Change Client/Server Type Pure Distributed Type Peer Server Peer Peer Peer Client Client Peer Client Peer Peer Src. : www.boardwatch.com -4- I. Positive Aspects of Internet Volume Size of Internet Items Internet Users % in Global ’00-’04 CAGR No. of IPv4 Broadband Users (K) Pop. (K) China Japan Korea World 87,000K 77,300K 30,000K 785,710K 10.1% 9.8% 3.7% Others: 76.4% 253.3% 37.1% 53.5% 118.9% 47,584K 112,587 K 31,504K 4,300M 17,700 13,150 11,500 N/A 1,327,976 127,944 47,136 6,453,311 Src.: www.internetstats.com & etc. -5- I. Positive Aspects of Internet Korea Internet Infrastructure Internet 70+ ISPs 11+ Million High Speed Internet 86,000+ Leased Line -6- I. Negative Aspects of Internet Worldwide Malicious Codes Yr. Worm Virus RAT 1991 16 1,000 15 1992 17 2,600 20 1993 17 4,000 21 1994 17 5,900 21 30,000 1995 18 8,000 23 20,000 1996 22 15,000 27 10,000 1997 24 16,500 104 1998 127 24,000 443 1999 165 30,000 1,679 2000 271 49,000 4,754 2001 1,102 60,000 9,742 2002 1,978 ? 13,085 2003 2,488 ? 14,432 -7- Worm Virus RAT 60,000 55,000 50,000 45,000 40,000 35,000 25,000 15,000 5,000 0 03 20 02 20 01 20 00 20 99 19 98 19 97 19 96 19 95 19 94 19 93 19 92 19 91 19 Src. : www.pestpetrol.com Mal. Code (Worm, Virus, Trojan/RAT) RAT: [Remote Administration Tool] is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the Victim's machine. II. Negative Aspects of Internet Vulnerability Points among Internet IOS/JuNOS Hijacking, Conf. Error KRNET ISP1 ISP2 Dial-Up D/UModem Peering ISP3 ISP ISP4 ISP5 ISP N B-O/F CPE BGP4 Foreign International Internet ISP …. …. Cable Modem Splitter GigaPOPCATV Head End Gateway CM DSLAM BIND DNS Mail Router SendMail DBMS SQL Web Mail L/L Video RP Web 2W HDSLRT 4W GigaPOP FTP Server Farm Home ONU GigaPOP ISP Network Home WLL Apache/ IIS -8- Explorer MS : Patch !! II. Negative Aspects of Internet Incidents depending on OS Windows Incidents are increasing now and malicious traffic are overwhelming …. Linux 11.3% Solaris 1.8% Linux 3.7% etc. 0.8% Windows NT/X P/2000 44.8% Windows 95/98 41.3% Solaris etc. 0.2% 0.1% Windows 95/98 33.5% Windows NT/X P/2000 62.6% 2003 2002 Src. : www.krcert.org -9- III. Big Bang - Triggering Point Slammer Worm (’03.1/25) Some Parts of Slammer Source Code PSEUDO_RAND_SEND: mov eax, [ebp-4Ch] lea ecx, [eax+eax*2] lea edx, [eax+ecx*4] shl edx, 4 add edx, eax shl edx, 8 sub edx, eax lea eax, [eax+edx*4] add eax, ebx mov [ebp-4Ch], eax [Worldwide Phenomena] Too fast to Response : Warhol Too many impacted Server Too wide-spread to co-ordinate Too many re-tries to connect → Most Effective WORM ! Src: www.internetpulse.net -10- III. Big Bang - Triggering Point Lessons from Slammer Worm Gov. :Law Enforcement & Sec. Awareness PR Agency : On-Line Surveillance System ISP : Network Security Investment & Enhancement Secure Internet Home: Up-to-date Patch Corp.: Security Awareness & CERT SW Vender : More Secure SW and Application -11- III. Big Bang - Triggering Point What Korean Government Have Done Law Enforcement : 2004. 1 .29, Rev. 2004.7.30 Security Inspection (ISP, IDC, Main Portal..) Information Sharing Obligation with KISC Emergency Response to Block Malicious Port # Launching KISC : 2003. 12. 17 24h X 7d Operation 5 min. Information Analysis (Traffic, port, incidents) Korea Internet Security Coordination (KrCERT/CC) Security Awareness : 2003 – 2004 Security Inspection for the SME ( Free of Charge ) Incidents Handling Manual for PC, ISP, IDC, Corp. Monthly Information Security Campaign -12- IV. KISC’s Role National Cyber-Security Framework Public Sector Gov. Agencies NIS SPPO Private Sector ISPs,AV, MSSP Incident Reports & Case Study Information Sharing Info. Sharing System Co-Work Technology & Information NPA Public Sectors : *NIS : National Information Service *SPPO : Supreme Public Prosecutors’ Office *NPA : National Police Agency Private Sectors : *ISP : KT, DACOM, Hanaro .. MSSP : Coconut.. AV : Ahnlab, Hauri -13- IV. KISC’s Role KISC’s Task and Job Flow Detect Major ISPs & MSSP Analysis Propagation ISP Hot Liners ISP/ESM Mail Remote Agent IDS/Firewall KISC FAX Private Sectors Vul. Foreign Ptn SMS Notice Mail Web. Home Users S/W,H/W Mess enger Analysis AV/Vaccine Detect KISC Recovery User -14- Propa gation Press & TV/Radio TRS IV. KISC’s Role KISC’s Today & Tomorrow OSS Unix/Linux Vul Ctr. For Ststem Vul. Net/ Vul Maker Sec. Info. Exchange Net/ Vul Foreign Organization BackUp Windows Vul. US, Jp.Cn CERT Nat’l Cyber Help Desk Patch Info. www.krcert.org Foreign Agency Global co-work APEC,Global VC HoneyNet VC 1 VC 2 IDC/SO/IDC Telecom ISAC Domestic Agency Virus/Attack Sample Bank/Stock ISAC Security ASP I S Ps Cororate. -15- Home Users Hacker/Intruder V. Hand-on Experience Phishing Scam Reported by : foreign CERTs or victim organizations, Response with ISPs Major Victim : US-Bank, City Bank, Bank of America, Brazilian Bank ITAU etc 35 35 No. of Incidents reported to KISC 30 25 24 20 22 15 10 5 0 6 5 2 Jan 2 Feb 0 Mar Apr May -16- Jun July Aug V. Hand-on Experience Anti-SPAM Activities Procedure : Reported by Users or ISP(Mail Service Providers) Countermeasure : On-site Inspection and Criminal Inspection with Prosecutors ⑥SPAM Users Mail Server Over Load DNS Server 과부하 Abettor ⑤ SPAMMing ④ Mail Server DNS Query ① Zombie Server ③ Lists Update , ② Malicious Code Instal Spammer Compromised PCs -17- V. Hand-on Experience Sec. Awareness and Support Security Awareness Activity 1). Security Education for : Security Divide Sector ( SME, PC Plaza, Users etc. ) 2). Publishing Cyber Security Manuals (Manual + CDs ) Individual User, Corporate Network Operator ISP, IDC, PC-Plaza Operator Encouraging to establish CERT Operation of CONCERT ( CONsortium of CERT : 228 in Korea ) On-Site Security Inspection for the SME ( ~ 2004 ) Target : 1,000 SME with Security Divide Sectors Inspection and Training ( Free of Charge ) -18- V. Q&A For any further information Please contact: Choi, Joongsup : jschoi@kisa.or.kr Thanks ! -19-