Capacity Development Workshop on

Public Information Management

System and Policy in Koreaon cyber attacks

2011.11.28Jeong Min, Lee

KISA

Capacity Development Workshop on

Public Information Management

Contents• Korea Cyber Security Framework• DDoS Response System

– Security Monitoring Center– Detection Tools– DNS Sinkhole– Cyber Cure System for Infected PCs– DDoS Cyber Shelter

• DDoS Response Case :– 3.4 DDoS in 2011

Capacity Development Workshop on

Public Information Management

Korea Cyber Security Frame-work

Capacity Development Workshop on

Public Information Management

Cyber Crisis Response Frame-workPresident

National CenterFor Crisis Manage-

ment

Ministry ofNational Defense

Defense Security Command

Military Area/each unit

Korea CommunicationsCommission

KrCERT/CC

Critical Infrastructuresin Private Sector

NationalIntelligence Service

KNCERT/CCCritical Infrastructures

inGovernment/Public Sec-

tor

Capacity Development Workshop on

Public Information Management

Security Cooperation Frame-work

Capacity Development Workshop on

Public Information Management

Distributed Denial of Service At-tack

Capacity Development Workshop on

Public Information Management

DDoS Attack Response

Capacity Development Workshop on

Public Information Management

Security Monitoring Center

Capacity Development Workshop on

Public Information Management

Capacity Development Workshop on

Public Information Management

DDoS Nation Wide Anti-DDoS System

DDoS Detection

system

DDoS Detection

system

IX(Internet eXchange)

BackboneRouter

A ISP

B ISP

Ix Ruter IX Router

Legitimate Traffic

IDC, Internet Biz company, Internet Service Provides, etc

IDC, Internet Biz company, Internet Service Provides, etc

DDoS Attack Traffic

Block or

Detour

ConnectedBlock or Detour

DDoS Attack Traffic DDoS Attack TrafficNormal Traffic Normal Traffic

Connected

Capacity Development Workshop on

Public Information Management

Detection Tools: Malicious code analysis(Utilize Hon-

eyNet)

Capacity Development Workshop on

Public Information Management

Web Hacking Malicious Code De-tection (MC-Finder)

Web Service Provider

All Domains registered in Korea(1.8 million)

1. Update detection rule Malicious Code Finding

System(MC-Finder)

2. Check hidden malicious URL in website

3. Request to block foreign malicious URL

ISP

Staff on duty

KT T Broad

SK Broad-band

4. Request to remove malicious URL

Malicioius URL(Dissemination,

Route)

KISA

Capacity Development Workshop on

Public Information Management

DNS Sinkhole : Block BotNet

Capacity Development Workshop on

Public Information Management

Cyber Cure System for In-fected PCs

1.Collect infected PC IP

Target website

DDoS attack

2. Operate cyber cure System

ISP

ISP

ISP

3. Popup window for notification

4. Dedicated vaccine

Zombie PC

Stop!Cure zombie PC

Cyber cure system

Download dedicated vaccine

Capacity Development Workshop on

Public Information Management

DDoS Cyber Shelter

Capacity Development Workshop on

Public Information Management

Case Study :Success Story of KR DDoSattack countermeasure by

KISA

Capacity Development Workshop on

Public Information Management

Overview of 3.4 DDoS(1)• 2011.3.4~

3.15(about 10 days)• Attack Target : 40 in-

stitutions– 24 Government and

Public institutions– 9 Financial institutions– 7 Portal & Shopping

Mall

Capacity Development Workshop on

Public Information Management

March and July DDoS attacks are Similar

Classification Mar 4th July 7th

# of Zombie PCs 116,299 115,044

# of Target websites 40 36

# of Blocked C&C Servers 748 538

# of Destroyed HDDs 756 1,466

Capacity Development Workshop on

Public Information Management

March DDoS Method is more Intelligent and destructive than July

• 3.4 DDoS Attack attempted only at-tack of disturbing the system net-work with very high technology, so that this attack is deemed as the testing kind’s prior attack for check-ing Korea’s state of defense.– (Dmitri Alperovitch, vice president of

McAfee, DongA Ilbo Interview dated on July 9, 2011)

Capacity Development Workshop on

Public Information Management

Depending on the response, the attack is continuing to change

KISA Response

Vaccine distribution via www.boho.or.kr

Effective defense against DDoS Attack

Hard disk damage pre-vention guideline

Change in Attack Method

Block zombie PC’s ac-cess to www.boho.or.kr

Destroy HDD just after the infection

HDD is destroyed even at safe mode booting

Capacity Development Workshop on

Public Information Management

Nationwide Cyber Security Alert System

Capacity Development Workshop on

Public Information Management

DDoS Nation Wide Anti-DDoS System

DDoS Detection

system

DDoS Detection

system

IX(Internet eXchange)

BackboneRouter

A ISP

B ISP

Ix Ruter IX Router

Legitimate Traffic

IDC, Internet Biz company, Internet Service Provides, etc

IDC, Internet Biz company, Internet Service Provides, etc

DDoS Attack Traffic

Block or

Detour

ConnectedBlock or Detour

DDoS Attack Traffic DDoS Attack TrafficNormal Traffic Normal Traffic

Connected

Capacity Development Workshop on

Public Information Management

DDoS Cyber Shelter

Capacity Development Workshop on

Public Information Management

Cyber Cure System for In-fected PCs

1.Collect infected PC IP

Target website

DDoS attack

2. Operate cyber cure System

ISP

ISP

ISP

3. Popup window for notification

4. Dedicated vaccine

Zombie PC

Stop!Cure zombie PC

Cyber cure system

Download dedicated vaccine

Capacity Development Workshop on

Public Information Management

Q&A

jmlee@kisa.or.kr

Capacity Development Workshop on

Public Information Management

THANK YOU!