1. The Practices of CERT-- Building National Computer Network Emergency Response Capability Mingqi CHEN CNCERT/CC APCERT 2005-1- 28 APAN Bangkok

2. Asia-Pacific • APCERT (Asia Pacific Computer Emergency Response Team) ： • 15 Full Members now, including: • CNCERT/CC, AusCERT, JPCERT/CC • KrCERT/CC , IDCERT, MyCERT, PH-CERT, SingCERT, ThaiCERT, BKIS –Vietnam, SecurityMap Net CERT –Korea • CCERT, TWCERT, TW-CIRC,HK-CERT • LaosCERT is applying • WWW.APCERT.ORG /Mail list CIIP is one of the hottest topics in APCERT now

3. Europe • European Government CERT : EGC • Comprised of the Government CERTs from • UK, France, Germany, Finland, Sweden, Netherlands.  • TF-CSIRT: cooperation organization with focus on research issues • IODEF • TRANSITS

4. America • Inter-American CSIRT Watch and Warning Network, （2004.4 Framework) • Establish CSIRTs in each of the Member States; • Identify national points of contact in each State; • Establish protocols and procedures for the exchange of information; • Rapidly disseminate notice of such attacks throughout the region; • Provide rapid regional notice of general vulnerabilities in the system; • Provide regional warning of suspicious activities, and develop the cooperation needed for analysis and diagnosis of such activities; • Provide information on measures for remedying or mitigating attacks and threats; • Strengthen technical cooperation and training in computer security aimed at establishing national CSIRTs; etc. • 23 countries participated, to make up national POC operate 24x7

5. CNCERT/CC • Established in 2000 • Became a full member of FIRSTin 2002 • At APSIRC2002, initiated APCERT with AusCERT, JPCERT/CC. • At APSIRC2003, was nominated and elected as the Steering Committee member of APCERT • In 2004, built up 31 branches across the country.

7. How Does CNCERT/CCAct? • As an exchange center of information • From national network security monitoring platform • From public incident warning and reports • To set up reliable and expedite communication channels to all domestic and international CERTs. • Direct all the regional branches to work together. • Cooperate with Internet carriers closely. • As a security technology research center. • Provide the most trusted data to government and the society.

8. Cases and Experiences(1) • 2001.CodeRed/Nimda Worm • Cooperate with ALLBackbone Carriers • 2003.SQL Slammer Worm • Monitoring Platform &Emergency Response systems • 2003.Deloader Worm • Without Exploiting Vulnerability； • Collecting & remote controlling • 2003.MsBlaster/Nachi& 2004.Lsass Worm • Cooperating with IT industry • Challenges of Large Scale DDoS

9. Cases and Experiences(2) • 2004.Witty worm • Attacking prepared users • 2004.Phishing • Involving Multi-Parties • Cooperating between domestic law enforcement & CSIRT or CC of Other Nations • Dec. 2004 &Jan.2005 BotNet • More than 300,000 hosts infected by different Bots • Important source of DDoS/SPAM/Phishing/Worms • Eradicating is a long-term procedure

10. Projects • IODEF • Triangle group with JPCERT/CC and KrCERT/CC • Internal group with quite a few CSIRTs and ISPs in China • IHS • 863-917 NetSec monitoring system

11. Monitoring system • Gather information intime • Abnormal traffic • Severe attacking behaviors ( DDoS，etc. ) • Misuse situations etc. • To : • Get early warning capability • Judge the effectiveness of the control methods • A lot of countries or areas are doing this

12. Detecting activity that may be due to LSASS worms

13. Traffic of MSBLAST.remove (NACHI)

14. Questions & Comments?

15. THANK YOU www.cert.org.cn cmq@cert.org.cn