1 / 17

Experience with DDoS

Experience with DDoS. 2010. 5. Jeong, Hyun-Cheol. DDoS Attacks in Korea. Countermeasures against DDoS Attacks in Korea. Conclusion. 1. 2. 3. Contents. DDoS Attacks in Korea. 1. DDoS Attack Trends 7.7 DDoS Attack and Lessons. Status of the IP Network in Korea.

Download Presentation

Experience with DDoS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Experience with DDoS 2010. 5. Jeong, Hyun-Cheol

  2. DDoS Attacks in Korea Countermeasures against DDoS Attacks in Korea Conclusion 1 2 3 Contents

  3. DDoS Attacks in Korea 1 • DDoS Attack Trends • 7.7 DDoS Attack and Lessons

  4. Status of the IP Network in Korea Population of S.Korea: 49 M 1st domain : 1.8 M - .kr : 1M - GTLD(.com, .net, …) : 0.8 M Host : 8.7 M ISP : 154 IDC : 60 VoIP User : 7.1 M Mobile Phone User : 46 M High-speed Internet User : 15.7 M IP TV User : 1 M Internet User : 36 M 1 M : 1,000,000

  5. Status & Trends DDoS Attack In Korea DDoS Attacks in Korea Risk Portal, Public Site • First DDoS attack is occurred in 2006 • Increase of target systems • - Small Websites Major Websites(Bank, Portal, …) • Increase of a ransom DDoS • Increase of Application-layer DDos attack (Above 50%) • - HTTP Get flooding, Slowloris, SIP flooding • - Network Bandwidth Consumption  System Resource Consumption • Hard to detect and block App.-layer DDos attack • - Because Each Zombie PC generates small traffic, Hard to detect • by legacy security solution. Bank, Shopping, Game Site On-line Game Site Chat, Gamble Site DNS, Private IP targeted DDoS Web Server targeted DDoS 2006 2007 2008 2009

  6. 7.7 DDoS Attack (1/3) • Attack Time : Every 6 p.m. July 6. 2009 ~ July 9. 2009 • Attack Targets : 22 Korean sites, 14 U.S sites • - Korean sites : the Blue House, National Assembly, major portal & banking sites, … • Estimated Damage : 3,300 ~ 4,950 million dollars (Src. : Hyundai Research Institute) 1st Day Attack 6 PM, July 7 After DDoS Destruct Hard disk 0 AM, July 10 2nd Day Attack 6 PM, July 8 3rd Day Attack 6 PM, July 9

  7. 7.7 DDoS Attack (2/3) - Characteristics • Very Large scale and Organized Attack • - Zombies were infected from the famous Korean Web hard site • which had been exploited • - Lots of Zombie PCs (about 115,000) were used in attack • - Lots of Servers(about 400) were used in control the zombies • Premeditated and Intelligent Attack • - Attack started 6 PM that was coded in Malware(Logic Bomb) • - Zombie’s Hard disk were destructed after DDoS  erase the attack evidence • We could not know who the attacker were and why their intention were

  8. More attention to Endpoint Security Expand Information Sharing Need of Control Tower 7.7 DDoS Attack (3/3) - Lessons Network Defense Ex) Blocking of C&C Channel, Filtering the DDoS Traffic • In Korea, DDoS Defense was primarily focused on • network security such as blocking C&C Channel, filtering traffics. • - But, 7.7 DDoS Attack was rarely used C&C Server • We should more attention to endpoint security! • - But, It is not easy. C&C Zombie PC Zombie PC Zombie PC End point Defense Ex) Detection/Removal of Malicious code from zombie PCs • Information Sharing of Government and Private Sector • - Cooperation between Government, ISP, Anti-Virus vendor, and DDoS vitim • - Sharing of Malicious Code Samples, Attack Logs, and the result of analysis • Cross-border Information Sharing • - US was also attacked 2 days before 7.7 DDoS (2009/7/5) • - Zombies and Servers used in 7.7 DDoS were distributed in about 60 contries • Control Tower is need for the effective national response to large-scale attack 8

  9. Countermeasures against DDoS Attacks in Korea 2 • Operation of DNS Sinkhole Server • Improvement of Legal Framework • Development of Technologies

  10. Operation of DNS Sinkhole Server Before DNS sinkhole operation After DNS sinkhole operation Bot C&C Bot C&C KISASinkhole server ④ Sending command Target Sites ③ Connect C&C Bot infected PC’s information ③ Connect SinkholeBot infected PCs out of control from botmaster ⑤ DDoS Attack ② Return C&C IP address ② Return Sinkhole IP address ① C&C DNS query ① C&C DNS query ISP DNS server ISP DNS server Bot infected PCs Bot infected PCs

  11. Zombie PC Prevention Law (Draft) Objective • Prevent spread of Zombie PCs • - strengthen the online security requirements for both individuals and companies • Rapid response by information sharing Major Contents • Request Improvement of SW Vulnerabilities to SW developer • Order to remove malware from web sites • Limit Zombie PCs internet connection in an emergency • Able to Access to zombie PCs for Incident Analysis Issues • Excessive and may compromise liberty in Internet usage http://www.koreatimes.co.kr/www/news/biz/2010/04/123_51509.html

  12. Objective ISP R&D - Botnet Detection and Response • Detection and Blocking the botnet abused in various cyber crime • Identifying Bot C&C and zombie PC lists and monitoring their behaviors Host based Bot Detection & Response Technology User PC (1) Spybot based real time botnet monitoring system (2) Bot Collecting, Detecting, Analyzing Server (3) Host based Botnet Traffic Filtering Agent Real-time botnet behavior data Web Firewall Spam trap system Web server Distributed botnet 명령/제어 서버 DNS Server Centralized botnet Response Policy/Rule(DNS Sinkhole, BGP Feeding, Web firewall rule,,, Router Botnet traffic Collecting Sensor Security Appliance (A) Network Behavior based Botnet Detection System Botnet information (B) Botnet Monitoring / Response System Detection event Botnet Monitoring system Network based Botnet Detection & Response Technology

  13. Objective R&D – Automatic Malware Collection/Analysis/Response • Automation of the Life Cycle of an Incident Response • - Collection Malware  Analysis  Blocking traffic  Removal Malware from Zombies [Malware propagation method] [Malware distributing site] System vulnerability, Web, Spam, IM Malware Collection Detecting malicious site [Malware] .ppt .doc .xls Malware AutoCollection System Malware Distribution site Detection System .EXE .EXE .DLL Flash Executable binary code Malware AutoAnalysis System [Prevent malware spread/response] .pdf • Malware DNA & response Signature Management • Zombie PC Internet Access Blocking • Malware distribution site Management • Malware classification & history Management [Malware Infected PC] Malware Information Conficker Malware spreading Prevention and malware management system Malware Infected PC Auto-Analysis system Palevo

  14. Objective R&D - DDoS Attack Detection and Defense • 40 Gbit DDoS Attack Defense System and Secure NIC Development • Advanced Application-Layer DDoS Attack Defense System targeted on Web Services - 40G DDoS Attack Defense System - Behavior based Attack Detection - Malicious Code Detection and Management - Infected System Management 40G DDoS Attack Defense System Server Farm Web Servers Application-Layer DDoS Attack Defense System Internet - Complex, Advanced DDoS Attack Defense Technology target on Web Service - Challenge/Behavior based Defense - Policy based Management Server Farm Normal Users Secure NIC Development Attackers - Server/Host based 2G Security Offload Engine Technology - Malicious Code Detection

  15. Objective R&D - Cooperative Security Control • Automatic Information Exchange & Cooperative Response Framework • Cyber-Attack Forecast & Alarm Technology • Auto-Response & Traceback against Cyber-Attack Attack Traceback Predicted Attack Pattern Analysis Hacker Forget Packet Detection Attack ScenarioAuto-Generation Malware Distribution Site Response Policy Generation & exchange Real-time Information Exchange & Cooperative Response Vulnerable WebServer Internet Service Provider Antivirus software companies Information exchange Entiry DDoS Target Site BlackListMonitoring Threat Attack Analysis Information exchange Entiry Malware Malware Information exchange & cooperative response Malware Single packet attaack Cyber AttackForecast/Alarm Zombie PC DDos attack National CSIRT/CERT/KISC Internet Service Provider

  16. Information Sharing International Cooperation Awareness Conclusion • Information Sharing is the most important factor for success of effective • prevention and response the incident. • - For this purpose, We are improving the legal system and developing technology • in Korea • Cyber attacks occur in cross-border • It is need that the consensus for • - monitoring, keeping logs, information sharing, and cooperation against • cross-border incidents • It is the most difficult thing, but it is the most important for end-point security. • We should improve not only the legal framework but also awareness.

  17. Thank you

More Related