jay seo, kisa, success story of kr ddos attack countermeasure by kisa
Upload: department-of-broadband-communications-and-the-digital-economy
Post on 26-Nov-2014
125 views
DESCRIPTION
Slides from the KANZ Broadband Summit. Visit www.dbcde.gov.au/kanz2011 for more information.TRANSCRIPT
Definition of DDoS attack in Korea
Why many DDoS attacks happen?
To make moneyAs an attacker, it is easy to get zombie PCsDifficulty in meting out punishment because C&C is in a foreign country
Process of DDoS countermeasures in Korea
Contact and analyze zombie PCs Collect and analyze malignant codes Find and block C & C Block using situation notifications
Report Log collection Detect IP address of zombie PCs
- 3 -
Overview
Problems
- 4 -
Limits of DDoS Countermeasure
Normal Users
- Do not understand that their computers are zombie PCs - Difficult to detect zombie PCs before implementing malicious actions
ISPs
- DDoS attack in some parts of big networks - Difficult to respond to small scale targeted and detailed attack
Web Sites
- Difficult to secure enough resources for DDoS defense - Recent attacks use both big-scale traffic and precise attack skills
Counter measures
User PCs
- Use of anti-virus program preventing PCs from becoming a zombie, and through PC updates
ISPs
- Block spoofed and mass garbage traffics
Web Sites
- Close cooperation with ISPs while securing safety development
- 5 -
Limits of DDoS Countermeasure
User PCs
Use DNS sinkhole to block zombie PCs (2005~)
- Average number of zombie IPs based on KISA sinkhole:
Provide services for automatic security updates for PCs (2006~)
Establish online remediation system (2010~)
- To solve DDoS countermeasures, zombie PCs have to be removed - Selective remediation of zombie PCs from PCs using internet * Only 1,192 (70%) can cover internet users in Korea * Plan to continuously increase the targets
2009
2010
2011
41,603
70,487
34,653 January – March
- 6 -
DDoS Countermeasures by KISA
DNS Sinkhole
Before applying DNS sinkhole After applying DNS sinkhole
Malicious bot in-fected systems
Malicious bot
3. Ordering of malicious bot Infected systems/Contact controlling server
4. Deliver malicious
orders
IPS DNS Server
2. Bot oedering/Trans-fer of IP address of The controlling server
1. Bot ordering/Request of IP Address of the controlling server
Malicious bot
Sinkhole server of KISA
2. Transfer of IPAddress of sinkhole
1. Bot ordering/Request of IP Address of the con-trolling server
IPS DNS Server
Malicious bot in-fected systems
3. Blocking to contact hackers,Disable to deliver malicious or-ders
Malicious hacker(Bot ordering/controlling server)
Malicious hacker(Bot ordering/controlling server)
Introduction of DDoS Countermeasure System
Introduction of DDoS Countermeasure System
Online remediation system for zombie PCs
① Get an attack log (IP)
(by ISP)
② Classify IP addresses
(KISA→ Each communication service provider ISP)
Transfer IPs
(by communication with each service provider ISP)
③ Identify users using infected Ips
User using infected PC
(and provide vaccines (pop-up window)
④ Notify infected PCs
⑤ Cure with exclusive vaccines
Excessive traffic, access disorder
DDoS attack occurs
Notify KISC (at-tacked company)
Statistics of blocking, warning and/orreinforcing monitoring
by situation notifications
Web Sites
ISPs
Using situation notificationsto block C&C
175375
917
588
1,427
2,331
1,463
Year
Total
Less than 1G
Less than 5G
Less than 10G
Exceeding 10G
16
10
4
16
Attack capacity
DDoS Countermeasure System in Korea
- 9 -
No. of defenses
Exceeding 20G
1G~10G
10G~20G
Attack capacity
16
10
4
1614
11
53
108
No. of defenses
2010 the second half year ~~ 2010 the first half year
Less than 1G
After applying shelter
Before applying shelter
Introduction of DDoS Countermeasure System
DDoS cyber shelter
Cyber shelter
Internet
Internet
Success Factors of DDoS Countermeasures
As a result of operating a cooperative defense system with PCs, N/Ws and services, cooperative relationship between the govern-ment and internet service providers was established
KISA ISPs
Detect and analyze malicious codes,and share information
Reinforce a network of sharing information
Establish and operate DNS sinkholeApply DNS sinkhole and share information
on malicious domains
Issue situation notifications to blockmalicious domains
Apply to ISP backbone network
Search zombie PCs and inform business ownersInform users using zombie PCs that their PCs are
infected and ask them to take proper measures
- 11 -
Success Factors of DDoS Countermeasures
Joint investment of business owners and the government
System of online curing remediation
KISA ISPs
Establishing a systeminforming that zombie PCs exist
Establishing an authenticationsystem identifying the actual
users of infected IPs
- 12 -
Success Factors of DDoS Countermeasures
What to consider?
Detailed services unable to be provided by businessowners are partially guaranteed by the governmentProvide defense services not affecting the range ofcivil businesses
There are health centers providing general services by country even though large hospitals are present
- 13 -
Future Plans
Since DDoS attacks increase on DNS targets, countermeasures are required
If worldwide root DNSs are attacked, internetservices can be paralyzed
Increase of user awareness
Personal security has to be reinforced to pre-vent becoming a zombie PC
- 14 -