Computer Security Incident Response in China Shuang Zhu, Susan firstname.lastname@example.org Xing Li, email@example.com CERNET Center, Tsinghua University Network Abuse BoF, 30 Aug, 2001
Outline • Computer Security Concerns in China • Public Concerns • Government Concerns • Active Organizations • CERNET & CCERT • CCERT Services • CCERT Experience
China Internet Overview • General Info about China Internet Development • Internet Computers: ~10.02 M • 16% via Direct Connection • 84% via Dial-up Connection • Internet Users: ~26.50 M • 17% via Direct Connection • 68% via Dial-up Connection • 15% via Direct & Dial-up Connection • Web Sites: 243,000 Source: “China Internet Development Report” Jul 2001
Public Security Concerns • Have you ever received spam? Yes: 63% No: 37% • Was your computer ever intruded last year? Yes: 47% No: 43% Unknown: 10% • What kind of security measures are often taken(Multi-Answer): Virus Prevention: 75% Firewall: 68% Password Encryption: 37% Digital Signature: 7%Not sure, by sysadmin: 7% Nothing: 4% • How often do you change your password of email accounts?Once a month: 9% Per 3 ~6m: 21%Per 6m~1yr: 20% Never: 50% Source: “China Internet Development Report” Jul 2001
Government Concerns:Administrative Regulations Enacted by State Council • “Computer Information System Security Protection By-laws”, State Council Regulation No. 147 enacted on 18 Feb, 1994 • “Interim Regulation & its measures about International Connection Administration of Computer Information Network” State Council Regulation No. 195 enacted on 20 May & 8 Dec, 1997
Government Concerns:Administrative Regulations Enacted by Related Ministries • Ministry of Information Industry • “ChinaNET International Connection Policy”, 1996 • “Internet Information Services Policy”, 1996 • Ministry of Public Security • Regulation No.33 – Internet Connection Security Protection Policy for Computer Information Network, 30 Dec,1997 • Regulation No.51 – Computer Virus Prevention and Control Policy, 26 Apr, 2000 • Announcement to Put Internet Systems on Records • State Council Press Office • Interim Policy for Web Sites that Provide News Publication Services, 7 Nov, 2000
Government Concerns:Major Points related with Network Abuse • Internet Users must abide by state laws and administrative regulations, and cannot abuse the Internet to engage in illegal activities, e.g. compromising state security, leaking state secret, creating, reading, copying and spreading the illegal information which can hinder social order/security: • Illegally enter computer networks or use computer network resources • Delete, modify or add the functions of computer networks • Delete, modify, or add the data or application programs which are stored, processed or transmitted in computer networks • Intentionally create, spread destroying programs like computer viruses • Other behaviors that compromise computer network security. • ISPs have the responsibility to education its customers to abide by computer security laws and regulations • ISPs must record users’ info such as connection time, account, IP addr/domain name and keep it for 60 days; when necessary, assist in related state offices’ legal check.
Active Organizations • China Emergency Response Infrastructure is currently being built up: • CCERT, the first computer security incident response team in China, founded in May 1999 • NJCERT, the first regional CSIRT in CERNET founded in Oct 1999 • ChinaNet Security Team • PLA, Ministry of Public Security • Security Rescuing Companies • CNCERT - China Computer Emergency Response Team Coordination Center founded by Security Administration Center of MII in Mar 2000
CERNET Briefs CERNET - China Education and Research Network • was established in 1994 and managed by Ministry of Education, serves academic community in China • now as the 2nd largest of 10 national NSPs, connects 800+ universities and academic institutes in 180+ cities in all 31 provinces in mainland China and serves 7.6+ Million end users. • all 31 provinces in mainland China have high speed connectivity [OC3~OC48]
CERNET Structure Backbone Regional Regional Provincial Provincial Provincial Campus Campus Campus Campus
CCERT CERNET Computer Emergency Response Team • Established in May 1999 • The first CSIRT in China • Funded by CERNET center • Mainly serves .EDU.CN community • About 10 staffs
CCERT Organization Structure Intl IRTs Intl SIRTs FIRST Intl SIRTs CNCERT/CC CCERT CCERT/CC Other IRTs R-IRT NJCERT P-IRT P-IRT C-IRT C-IRT CERNET Users Other Networks
CCERT Goals • To provide incident response services • To build up response Information releasing and technical support platform • To provide decision support services • To promote information exchange and cooperation with regional/provincial/campus networks and other CSIRTs
CCERT Services • Mainly serves for CERNET members, and also handles the incident reports of some other networks. • Currently, provide services in: • Making Incident Responses to Intrusion, spam/email-bomb, port-scan, and DoS, Virus,… • Giving Security Advisory to system administrators • Releasing security information and resources • The announcements of Anti-spam, Anti-portscan; Virus warning • System patches or Security tools • and do research in network security: • Security Management, IDS, Security Archtecture, PKI
Incident Reportsin 2 months from 22Jun~21Aug, 2001 • Spam/Email bomb • 738 cases • Scan & Attack • 197 cases • Viruses/Worms • 3 cases of virus • 275 cases of CodeRed & CR II worm Some of the cases were not related with CERNET, but we received complaints,so try to provide “best effort” service.
Common Scenarios • Open relay spam in mail systems • About 90% reports related with spam emails • Outside Complaints • Domestic Reports • Improper configuration and open relay to the 3rd party • Harm: • Traffic Peculation Cost Increases • The Internet connection to the mail server was totally blocked by upstream providers. • Compromise state/social security • Solutions: CCERT set up an anti-spam group to handle • To do open relay check • To reconfigure and upgrade the mail system • To block the spamming relayers
Common Scenarios • Port Scan, the sign of an intrusion attempt • Popular service discovery: ftp, telnet ,ssh,smtp pop/imap, sunrpc, netbios, klogind, socks • System Vulnerabilities, like Satan • Intrusions • Most of the intrusions make use of well-known system vulnerabilities: • Solaris rpc.statd, rpc.ttdbserver, • Linux imapd, wu_ftp • freeBSD pop3d • Win2k Terminal Server, • Many of them were reported by outside, and even their administrators were unaware of that.
Common Scenarios • DoS Attack • land , teardrop;SYN flood; ICMP : smurf • Router: remote reset , UDP port 7, • Windows: Port 135, 137,139(OOB), terminal server • Solaris/Linux • DDoS • The target is to destroy the system and network’s availability • Common Tools: • Trin00, TFN/TFN2K, Stacheldraht • Difficult to prevent • IP spoofing, Traffic Encryption, difficult to track
Common Scenarios DDoS Attack & Prevention • The 2 stages: • The 1st stage – Control a lof of hosts • Get the control of a lot of systems by vulnerabilities, and install DDoS agents • The 2nd stage, to initiate the attack: • Send numerous TCP/UDP/ICMP to the target system to exhaust the bandwidth resources so that it could not respond to the requests normally. • DDoS Prevention • All systems in the network must be configured properly not to be as a source of DDoS. • Router/Firwall config: to filter the packets of IP spoofing • Detection tools:find_ddosv31、ddos_scan、rid
Common Scenarios Summary • Need explicit security management strategy • Vendor’s distribution is rarely current • Default configuration is unsecure, not patched and running unnecessary services • More than 99% intrusions can be prevented by proper system configuration • Multiple services are running on the same system: DNS/Mail/Web/ FTP • The password is too simple in public servers • Auditing function is not enabled or sysadmin never checks the auditing logs • No backup: very difficult to recover after intrusion.
Case study:Campaign against CodeRed II • The first incident report was received on 1 Aug, 2001 • Code Red alert was also received from APNIC in Aug • In terms of damage, CR II is by far the worst computer worm to affect mainland China that caused many traffic jams; CR II rapidly spread into all backbone networks in China, and more than 10,000 systems in 20+ provinces were infected; • A special team was immediately established in CCERT to deal with this CodeRed II issue: • build up accurate contact info database and emergency response teams of 4 levels during a very short period • issued 2 advisory announcements and alerts: patch info, countermeasures, latest infection status and successful cases to kill “code red” • 7x24 hot-line support
Case study:Campaign against CodeRed II • Things are getting better now • Most system administrators came to know this issue, and conscious of self-protection. • Systems infected with CR II decreased very quickly. • Gain much experience in Emergency Response
CCERT’s ExperienceIn Incident Response • To set up security related infrastructure • Contact info database • IP address / RP mapping • In both Chinese and English • Vulnerabilities database • Conform to CVE • Vulnerability description • In both Chinese and English • Support service platform • Effective and automatic incident handling • Incident response tracking
CCERT’s Experience:Security Related Infrastructure About accurate contact info, • CERNIC whois database plans to add “abuse-c” attribute to inetnum object to specify accurate responsible contact for network abuse. • Suggestions to APNIC database • To add similar mandatory attribute for Network Abuse Handling in inetnum object • well-known to security interested community • To accept NIC handles of members, at least large members who have set up VL whois database. • Local database can be administratively more accurate and up to date.
CCERT’s Experience (cont) • Technical support • CERNET has both production and experiment network, so various security experiments can be done. • Security-related national key research projects undertaken by CERNET • network management; network security; secure router; high speed IP network security monitoring system - traffic analysis and coordinated distributed intrusion detection; … • Controllable Network Infrastructure • Routing, DNS, NMS, Mail Systems • Centralized Control – CERNET backbone has extended to all provincial nodes
CCERT’s Experience (cont) • Cooperation and Coordination • To cooperate with each other and not to be a relay of attacks • Emergency response services require the coordination and cooperation of all Internet community. • Education Services • Users should be conscious of self protection, and realize that everyone is responsible for computer security. The whole network security relies on the security consciousness of all users and the popularization of security technologies.
CERNET & CCERT will serve • More than 320M users from 10,000 universities and schools in 300+ cities in mainland China • For more information: • CERNET: http://www.edu.cn/ • CCERT: http://www.ccert.edu.cn/