A PRACTICAL APPROACH TO MANAGE
PHISHING INCIDENT WITH URL FILTERING
Kasom Koth-Arsa, Surachai Chitpinityon, Julllawadee Maneesilp
Kasetsart University, Bangkok, Thailand.
AGENDA
 Introduction
 Objective
 Phishing
Management System
 Conclusion
INTRODUCTION
 What
is Phishing?
 Why Phishing is important?
 Who are our concern about
Phishing?
WHAT IS PHISHING?
Phishing is an online form of deception
 Attacker pretends to be someone else
 To obtain sensitive information from the
victim

WHY PHISHING IS IMPORTANT?
A serious threat to Internet usage
 Growing very fast
 Frauds that affect many websites and
organizations
 More advanced and complex techniques


to convert the organization websites to the seemingly
trusted financial websites to gain confidential user
information.
WHO ARE OUR CONCERN ABOUT
PHISHING?
 One
of the most attacked organizations
is education institution.
Organize their network systems by
dividing into many sub-departments.
This hierarchical structure causes
challenge in management effectiveness
and network-security enforcement.

UniNet
UNINET

Largest university
network provider in
Thailand running by
Ministry of Education


1Gbps and 10Gbps link
countrywide
UniNet has 431 member
institutes
240 Universities
 134 Vocational School
 57 Primary School


100,000 plus users
Phishing becomes a serious problem!
OBJECTIVE
 Developing
a phishing management
solution which covers to handle the whole
anti-phishing processes for UniNet
Systematic procedure
 Fast response
 Tracking, monitoring and collecting phishing
information
 Intelligent URL Filtering system to enforce the
blocking specified URL
 Block only the phishing URL, not the whole
site

PHISHING MANAGEMENT SYSTEM
 System
Module
Account Management
 Ticket Management
 Web Filtering

 Interaction
Diagram
 Use Case Diagram
 System Configuration
SYSTEM MODULE
Account
Management
Incident
Management
Tracker & Reporter
Ticket Management
Account
Database
Phishing
Database
URL Filtering
ACCOUNT MANAGEMENT MODULE
Users must register with our system before
report the phishing website
 Using the following information:







Full name
Company
E-mail
Username
Password
Identification procedure
TICKET MANAGEMENT MODULE
Manage Phishing
Ticket management
events
 Easy to manage
and track
Incident
Tracking & Reporting
incidents using
management
ticket status

Created
Opened
Deleted
Verified
Canceled
Blocked
Site Take Down
Closed
URL FILTERING (WEB SCREEN)

Phishing system can block/unblock web access to
the phishing site through the URL filtering
system.
URL Filtering
TCP Session Hijacking Technique
Intercept HTTP request
Inject forged HTTP reply
Block or redirect access of any given URL
PASS-BY URL FILTERING
Gateway
Internet
Client

Ease of Installation (No
Traffic Interruption)
Non Blocking Traffic
Stream
No Single Point of Failure

Scalable




2
1
2
??
3
Filtering Engine
Traffics are captured and passed by without queuing
Zero delay, independent from traffic volume
TCP SESSION HIJACKING
Client
Faked FIN by Filtering Engine
Packet will be ignored
Filtering
Server
INTERACTION DIAGRAM
Company
UniNet
Administrator
Web Filtering
Engine
University
Administrator
Report a phishing URL (open a ticket)
Verify
URLphishing URL
Block the
The ticket is set to canceled
Inform the corresponding university
Server
investigation/cleaning
administrator
to investigate
the incident
Inform that the server already clean
Re-verify the URL
Cancel the blocking of the URL
Close the ticket, inform both party
USE CASE DIAGRAM
University
Administrator
Company
Create
ticket
Change
ticket
status
View
ticket
Notify
incident
cleared
Create
Account
Manage
Account
UniNet
Administrator
Block/
unblock
URL
SYSTEM CONFIGURATION
10G
UniNet
Network
Gateway
Backbone
10G
10G
1G
10G
SPAN
1G
1G
management
Phishing Management
1G
Phishing Filtering Engine
Internet
USER TICKET TRACKING SCREENSHOT
CONCLUSION
 Phishing
Management System is now
initial deploy on UniNet Infrastructure
Enable UniNet to response quicker to phishing
incident
 Enable a statistic logging that helps UniNet
anticipate the future problem and improve
network security
 Design for handle 10Gbps Network (need some
more hardware to complete)

THANK YOU.